BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details


Global rank
79 infographic chevron month
Month rank
58 infographic chevron week
Week rank

PlugX is a remote access trojan that is used extensively by Chinese APTs. The malware is primarily employed for spying on victims and can perform a variety of malicious activities, such as logging users’ keystrokes and exfiltrating information from browsers.

16 January, 2008
First seen
13 June, 2024
Last seen
Also known as
Destroy RAT

How to analyze PlugX with ANY.RUN

16 January, 2008
First seen
13 June, 2024
Last seen


Last Seen at

Recent blog posts

post image
Analyzing Malware Protected with Themida and...
watchers 142
comments 0
post image
ANY.RUN Represented at BSides Canada and Cybe...
watchers 188
comments 0
post image
Search for Malware Mutexes in ANY.RUN Threat...
watchers 339
comments 0

What is PlugX malware?

PlugX is a remote access trojan (RAT) family used to gain access to and control computers. It has been around since 2008 and continues to be exploited today by advanced persistent threat (APT) groups, including Mustang Panda.

The malware is often employed for spying on victims, as it possesses a considerable set of tools that make it a go-to-option for attackers. Among other things, it can be utilized to log users’ keystrokes and exfiltrate sensitive information. As a result, PlugX has been involved in numerous attacks on organizations, primarily in Asia. However, there are also instances of attacks on private companies.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Technical details of the PlugX malicious software

Due to the fact that PlugX has been around for over a decade, the malware has undergone numerous iterations, and multiple variants have been created as a result. However, in most cases, they share similar functionality, which includes:

  • Collecting details about the operating system, hardware components, installed applications, and network settings.
  • Exfiltrating usernames, login credentials, personal information, and browsing history.
  • Recording every keystroke made on the infected system.
  • Managing processes, allowing the attackers to manipulate the system, including by turning off antivirus software.
  • Modifying registry entries, facilitating persistence on the computer.
  • Recording the screen of a compromised device.

PlugX has been known to leverage DLL side-loading to execute its malicious payload. DLL side-loading is a technique employed by malware to evade detection by traditional security measures. It involves injecting malicious code into a legitimate DLL (Dynamic Link Library) file, which is then executed by a trusted application.

Another persistence mechanism used by PlugX is the modification of the Windows Registry to kickstart its execution during every system booting.

Similar to njRAT and LimeRAT, PlugX makes use of USB-based propagation. It enables the malware to spread to other systems via infected USB devices.

Execution process of PlugX

We observe the entire execution chain of PlugX in ANY.RUN by submitting its sample for analysis.

PlugX is known for utilizing system applications and legitimate files in its attempts to evade defense mechanisms. In our example, the malware drops a legitimate ESET EHttpSrv.exe file (renamed as esetservice.exe) that is exploited to load the http_dll.dll. This DLL file has the capability to collect files from the infected system.

Expose malicious activities and get IOCs with ANY.RUN sandbox

  • Analyze malware in Windows 7, 8, 10, and 11 VMs
  • Interact with files and links, just like on your own computer
  • Work in a private team space with your colleagues
Request 14-day free trial

The Remote Access Trojan (RAT) also exploits the dllhost process and runs an esetservice process as a service. Following privilege escalation, PlugX injects run once, establishing a connection to a Command and Control (C2) server and awaiting commands for subsequent malicious activities.

PlugX process graph in ANY.RUN PlugX`s process graph demonstrated in ANY.RUN

Distribution methods of the PlugX malware

Apart from USB-based distribution, PlugX is most often spread via phishing emails. Attackers usually place the malware inside an archive which is sent to victims in the form of an attachment. Once they open and launch the files inside the archive, the execution process begins.


PlugX is one of the most persistent threats in the world that has been actively used since 2008. Despite its long history, it regularly evolves, gaining new capabilities and features that allow it to beat defense systems. To make sure your organization remains safe from a PlugX infection, it is vital to keep up with the latest samples of the malware and its behavior. To this end, you can use ANY.RUN.

ANY.RUN is a cloud-based malware analysis sandbox that lets you investigate any threat to unveil its TTPs and collect IOCs. Thanks to its advanced interactivity, ANY.RUN makes it possible to conduct malware analysis by engaging with the malware and the infected system just like on a standard computer.

Try ANY.RUN for free – request a demo!


Adwind screenshot
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy