PKPLUG

PKPLUG is a cyber espionage intrusion set named by Unit 42 in 2019 based on at least three years of observed activity, with linked operations dating back at least six years. Unit 42 stated it could not determine with high confidence whether PKPLUG is a single threat group or multiple groups using the same tools and tasking. Unit 42 assessed with high confidence that PKPLUG has ties and origins similar to Chinese nation-state adversaries. PKPLUG activity has primarily targeted victims in Myanmar and Taiwan, with lower-confidence targeting in Vietnam and Indonesia, and additional targeting reported in Mongolia, Tibet, and Xinjiang. The targeting and victimology indicate intelligence collection against politically and geopolitically sensitive entities. Unit 42 assessed the group’s primary objective was victim tracking and information gathering through backdoor implants. The malware associated with PKPLUG includes PlugX, Poison Ivy, Zupdax, the 9002 Trojan, HenBox, and Farseer. PlugX is a modular backdoor prominently associated with the group, and the PKPLUG name derives from the use of PlugX delivered in ZIP archives used in DLL side-loading packages. HenBox is an Android malware family used in related activity; Unit 42 reported it primarily targeted Uyghurs and Xiaomi devices, masqueraded as legitimate Android applications, and stole device information, harvested outgoing phone calls to +86 numbers, and accessed microphones and cameras. Farseer is a previously unknown Windows backdoor used in related campaigns. Observed delivery and execution techniques include spear-phishing, DLL side-loading, and malicious Microsoft Office documents exploiting CVE-2012-0158. Reported campaigns included Poison Ivy phishing themed around ASEAN membership, economics, and democracy; 9002 Trojan delivery through Google Drive links, shortened URLs, and ZIP archives; and FHAPPI activity using GeoCities Japan URLs, encoded VBScript, PowerShell, and PowerSploit-like code. Farseer used DLL side-loading with a signed Microsoft Visual Studio executable and VBScript registry persistence at user login. Earlier Farseer variants used decoy documents including a Myanmar-related PDF. Unit 42 linked PKPLUG-related campaigns through overlapping infrastructure, malware traits, and shared tactics. Reported infrastructure overlaps included ppt.bodologetee[.]com, microsoftwarer[.]com, logitechwkgame[.]com, microsoftdefence[.]com, webserver.servehttp[.]com, yahoomesseges[.]com, outhmail[.]com, tcpdo[.]net, queryurl[.]com, and cdncool[.]com. Unit 42 also published a PKPLUG Adversary Playbook in STIX 2.0 containing indicators, campaign data, and ATT&CK-mapped TTPs. Known alias in the provided content: PKPLUG.