Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now

PlugX

119
Global rank
139 infographic chevron month
Month rank
141 infographic chevron week
Week rank
0
IOCs

PlugX is a remote access trojan that is used extensively by Chinese APTs. The malware is primarily employed for spying on victims and can perform a variety of malicious activities, such as logging users’ keystrokes and exfiltrating information from browsers.

Backdoor
Type
China
Origin
16 January, 2008
First seen
3 September, 2025
Last seen
Also known as
Destroy RAT
Kaba
Korplug
Sogu
TIGERPLUG
RedDelta

How to analyze PlugX with ANY.RUN

Type
China
Origin
16 January, 2008
First seen
3 September, 2025
Last seen

IOCs

IP addresses
50.2.160.163
Hashes
212a8859adb7a74beb51a9faac6df60edafb645f936d4b1af95d15265325d62f
85ca20eeec3400c68a62639a01928a5dab824d2eadf589e5cbfe5a2bc41d9654
4f54a6555a7a3bec84e8193d2ff9ae75eb7f06110505e78337fa2f515790a562
6c959cfb001fbb900958441dfd8b262fb33e052342948bab338775d3e83ef7f7
fe5f8f5d25c3889449de2e709bedd408d24bec46d3fa1a488745c4d79c988fab
386eb7aa33c76ce671d6685f79512597f1fab28ea46c8ec7d89e58340081e2bd
0459e62c5444896d5be404c559c834ba455fa5cae1689c70fc8c61bc15468681
7d2b846eef2bfa822b6a0cb4399127261499fedab924fb20520b6d25916c7ed4
1eba1dc1bf2c02dac48739dd2565791b225b5671370b4153368d42b46953c0a9
560055994a2290b3eb3f354afbf5ebcf4b8d78820f238eae70d76ece81b97c23
28e0bafc9b20c4a5104d558a36600098429e8ac779a46e52a28edd432e6457e2
507d49186748dd83d808281743a17fca4b226883c410ec76eb305360cbc8c091
c3159d4f85ceb84c4a0f7ea9208928e729a30ddda4fead7ec6257c7dd1984763
Domains
50.2.160.163
URLs
http://185.239.226.61:8080/update
http://infosecvn.com:443/update
http://vietnam.zing.photos:443/update
http://vietnam.zing.photos/update
http://www.apple-net.com/update
http://185.239.226.65/update
http://www.destroy2013.com:443/a9349fd1
http://www.destroy2013.com:443/b55b412f
http://www.destroy2013.com:443/34ef8933
http://www.destroy2013.com/41cf3b8b
http://www.destroy2013.com/a51250b0
http://www.destroy2013.com/87f793ad
http://45.142.166.112/9b151346
http://45.142.166.112/41426740
http://45.142.166.112/1e98c71e
http://45.142.166.112:443/c4b8a314
http://45.142.166.112:443/c5b37b2e
http://45.142.166.112:443/4227ad5a
http://45.142.166.112:443/768bd560
http://www.apple-net.com:8080/AC8C222429A87DC4/FC654631
Last Seen at

Recent blog posts

post image
ANY.RUN Sandbox & Microsoft Sentinel: Les...
watchers 411
comments 0
post image
Fighting Telecom Cyberattacks: Investigating...
watchers 1808
comments 0
post image
Efficient SOC: How to Detect and Solve Incide...
watchers 912
comments 0

What is PlugX malware?

PlugX is a remote access trojan (RAT) family used to gain access to and control computers. It has been around since 2008 and continues to be exploited today by advanced persistent threat (APT) groups, including Mustang Panda.

The malware is often employed for spying on victims, as it possesses a considerable set of tools that make it a go-to-option for attackers. Among other things, it can be utilized to log users’ keystrokes and exfiltrate sensitive information. As a result, PlugX has been involved in numerous attacks on organizations, primarily in Asia. However, there are also instances of attacks on private companies.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Technical details of the PlugX malicious software

Due to the fact that PlugX has been around for over a decade, the malware has undergone numerous iterations, and multiple variants have been created as a result. However, in most cases, they share similar functionality, which includes:

  • Collecting details about the operating system, hardware components, installed applications, and network settings.
  • Exfiltrating usernames, login credentials, personal information, and browsing history.
  • Recording every keystroke made on the infected system.
  • Managing processes, allowing the attackers to manipulate the system, including by turning off antivirus software.
  • Modifying registry entries, facilitating persistence on the computer.
  • Recording the screen of a compromised device.

PlugX has been known to leverage DLL side-loading to execute its malicious payload. DLL side-loading is a technique employed by malware to evade detection by traditional security measures. It involves injecting malicious code into a legitimate DLL (Dynamic Link Library) file, which is then executed by a trusted application.

Another persistence mechanism used by PlugX is the modification of the Windows Registry to kickstart its execution during every system booting.

Similar to njRAT and LimeRAT, PlugX makes use of USB-based propagation. It enables the malware to spread to other systems via infected USB devices.

Execution process of PlugX

We observe the entire execution chain of PlugX in ANY.RUN by submitting its sample for analysis.

PlugX is known for utilizing system applications and legitimate files in its attempts to evade defense mechanisms. In our example, the malware drops a legitimate ESET EHttpSrv.exe file (renamed as esetservice.exe) that is exploited to load the http_dll.dll. This DLL file has the capability to collect files from the infected system.

Expose malicious activities and get IOCs with ANY.RUN sandbox

  • Analyze malware in Windows 7, 10, and 11 VMs
  • Interact with files and links, just like on your own computer
  • Work in a private team space with your colleagues
Request 14-day free trial

The Remote Access Trojan (RAT) also exploits the dllhost process and runs an esetservice process as a service. Following privilege escalation, PlugX injects run once, establishing a connection to a Command and Control (C2) server and awaiting commands for subsequent malicious activities.

PlugX process graph in ANY.RUN PlugX`s process graph demonstrated in ANY.RUN

Distribution methods of the PlugX malware

Apart from USB-based distribution, PlugX is most often spread via phishing emails. Attackers usually place the malware inside an archive which is sent to victims in the form of an attachment. Once they open and launch the files inside the archive, the execution process begins.

Conclusion

PlugX is one of the most persistent threats in the world that has been actively used since 2008. Despite its long history, it regularly evolves, gaining new capabilities and features that allow it to beat defense systems. To make sure your organization remains safe from a PlugX infection, it is vital to keep up with the latest samples of the malware and its behavior. To this end, you can use ANY.RUN.

ANY.RUN is a cloud-based malware analysis sandbox that lets you investigate any threat to unveil its TTPs and collect IOCs. Thanks to its advanced interactivity, ANY.RUN makes it possible to conduct malware analysis by engaging with the malware and the infected system just like on a standard computer.

Try ANY.RUN for free – request a demo!

HAVE A LOOK AT

AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
DarkCloud screenshot
DarkCloud
darkcloud
DarkCloud is an infostealer that focuses on collecting and exfiltrating browser data from the infected device. The malware is also capable of keylogging and crypto address swapping. DarkCloud is typically delivered to victims’ computers via phishing emails.
Read More
Jigsaw screenshot
Jigsaw
jigsaw
The Jigsaw ransomware, initially detected in 2016, encrypts files on compromised systems and requires a ransom payment in Bitcoin. If the ransom is not paid, the malware starts deleting files, increasing the pressure on victims to comply. Its source code is publicly accessible, allowing various threat actors to customize and repurpose the malware for different objectives.
Read More
GuLoader screenshot
GuLoader
guloader
GuLoader is an advanced downloader written in shellcode. It’s used by criminals to distribute other malware, notably trojans, on a large scale. It’s infamous for using anti-detection and anti-analysis capabilities.
Read More
ValleyRAT screenshot
ValleyRAT
valleyrat
ValleyRAT is a classic remote access trojan first documented in 2023, targeting mainly Windows systems. It is used by threat actors to gain persistent access to infected devices, steal data, and control compromised machines. ValleyRAT is notable for its relatively advanced evasion techniques and its connections to a prominent Chinese APT group.
Read More
Stealc screenshot
Stealc
stealc
Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests.
Read More