PlugX malware: A good hacker is an apologetic hacker

Jump to navigation Jump to search

(Publication) Google search: [1]

PlugX malware: A good hacker is an apologetic hacker
Botnet PlugX
Botnet/malware group
Exploit kits
Distribution vector
Operation/Working group
Date 2016 / 2016-03-10
Editor/Conference Kaspersky Securelist
Link (Archive copy)
Author Dmitry Tarakanov
Type Blogpost


Our first research into PlugX was published in 2012 – since then this remote access tool (RAT) has become a well-known instrument used in a series of attacks all over the globe targeting multiple industry verticals. PlugX has been detected in targeted attacks not only against military, government or political organizations but also against more or less ordinary companies. In 2013, we discovered that the Winnti group responsible for attacking companies in the online gaming industry has been using the PlugX remote administration tool since at least May 2012.

This time, looking through some anomalous PlugX samples, we stumbled upon one specimen that had an RC4 encoded resource inside. Actually, it turned out to be a test sample with dummy settings. Luckily, it was quite easy to find the initial builder that generates such samples.


 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2016BFR4819,
   editor = {Kaspersky Securelist},
   author = {Dmitry Tarakanov},
   title = {PlugX malware: A good hacker is an apologetic hacker},
   date = {10},
   month = Mar,
   year = {2016},
   howpublished = {\url{}},