How a new PlugX variant abuses DLL search order hijacking

SUMMARY :

A new campaign targeting telecommunications and manufacturing sectors in Central and South Asian countries has been discovered, delivering a new variant of PlugX. The campaign, active since 2022, shows overlaps between RainyDay and Turian backdoors, including the abuse of legitimate applications for DLL sideloading and shared encryption methods. The new PlugX variant's configuration format resembles that of RainyDay, suggesting attribution to Naikon. Analysis of victimology and technical implementation indicates a potential connection between Naikon and BackdoorDiplomacy, possibly sourcing tools from the same vendor. The malware families use similar infection chains, loaders, and shellcode structures, with shared RC4 keys for payload decryption. This campaign highlights the evolving tactics of Chinese-speaking threat actors and the potential collaboration between previously distinct groups.

OPENCTI LABELS :

apt,plugx,dll hijacking,rainyday,turian


AI COMMENTARY :

1. How a new PlugX variant abuses DLL search order hijacking This report unveils a sophisticated campaign observed since 2022 that targets the telecommunications and manufacturing sectors across Central and South Asian countries. Threat actors behind this operation are deploying a fresh variant of the PlugX remote access Trojan, leveraging DLL search order hijacking to infiltrate legitimate applications. This technique allows malicious DLLs to be loaded in place of authentic system libraries, granting the adversaries covert execution privileges and evasion from traditional signature-based detection.

2. Campaign Overview Initial discovery of this activity highlighted overlaps between two notable backdoor families, RainyDay and Turian, suggesting a shared operational playbook. Telecommunication firms and manufacturing plants have reported anomalous network behavior and unexplained process injections, leading to deeper forensic analysis. Indicators of compromise reveal staged deployments beginning with spear‐phishing emails containing weaponized documents, which in turn trigger the sideloading of malicious libraries.

3. Technical Implementation The new PlugX variant adopts a configuration format nearly identical to RainyDay, hinting at code reuse or a unified development source. Adversaries first execute a benign host binary, crafted to load a malicious DLL placed in the same directory. Upon launch, the malicious DLL leverages the Windows loader’s search order to hijack control flow, inject shellcode into remote processes, and establish persistence. Shared RC4 keys are used for decrypting payloads, maintaining consistency across infection chains and payload loaders.

4. Overlaps between RainyDay and Turian Detailed analysis shows both RainyDay and Turian implants utilize similar shellcode structures and encryption schemes. Modules responsible for network communication exhibit identical message framing and heartbeat intervals. The convergence of these characteristics suggests that the operators either collaborate closely or source components from a common vendor, blurring the lines between previously distinct threat clusters.

5. Attribution to Naikon and connection with BackdoorDiplomacy The resemblance of the PlugX configuration file to known Naikon samples, coupled with cryptographic routines matching BackdoorDiplomacy, points to a possible link between these groups. Victimology aligns with Naikon’s historical interest in geopolitical targets, while the shared vendor hypothesis explains the cross‐group resemblances. This synergy underscores the evolving ecosystem of Chinese‐speaking threat actors operating under overlapping infrastructures.

6. Threat Implications and Recommendations The emergence of this new PlugX variant highlights the imperative for defenders to monitor DLL load events and implement strict application whitelisting. Organizations in high‐risk sectors should employ memory forensics and behavioral analytics to detect anomalies indicative of APT activity. Regular threat intelligence sharing and proactive patch management can mitigate the risk of DLL hijacking, while segmented network architectures will limit lateral movement if an intruder bypasses perimeter defenses.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


How a new PlugX variant abuses DLL search order hijacking