Threat Overview
A recent threat report published by AlienVault on September 25, 2025, reveals a new campaign targeting telecommunications and manufacturing sectors in Central and South Asian countries. This campaign delivers a novel variant of the PlugX malware, which has been active since 2022. The report highlights significant overlaps between RainyDay and Turian backdoors, including the abuse of legitimate applications for DLL sideloading and shared encryption methods.
Campaign Details
The new PlugX variant’s configuration format closely resembles that of RainyDay, suggesting a potential attribution to the Naikon actor group. The analysis of victimology and technical implementation indicates a possible connection between Naikon and BackdoorDiplomacy, possibly sourcing tools from the same vendor. This campaign underscores the evolving tactics of Chinese-speaking threat actors and the potential collaboration between previously distinct groups.
Technical Analysis
The malware families involved in this campaign use similar infection chains, loaders, and shellcode structures. They also share RC4 keys for payload decryption, which further supports the hypothesis of a common origin or shared toolset. The abuse of DLL search order hijacking is a notable tactic employed by these threat actors to execute malicious code.
DLL Search Order Hijacking
DLL search order hijacking is a technique where an attacker exploits the way Windows searches for dynamic-link libraries (DLLs). By placing a malicious DLL in a directory that is searched before the legitimate one, attackers can execute arbitrary code. This method is particularly effective because it leverages legitimate applications to bypass security measures.
Recommendations
To mitigate the risks associated with this campaign, organizations should consider the following recommendations:
- Patch Management: Ensure that all systems and applications are up-to-date with the latest security patches. This includes both operating systems and third-party software.
- Application Whitelisting: Implement application whitelisting to prevent unauthorized software from executing. This can help block malicious DLLs from being loaded.
- Monitoring and Detection: Use advanced threat detection tools to monitor for suspicious activities, such as unusual DLL loading behavior. Regularly review logs and alerts generated by these tools.
- User Education: Train employees on recognizing phishing attempts and other social engineering tactics that may be used to deliver malware.
- Network Segmentation: Segment the network to limit the spread of malware in case of a breach. Critical systems should be isolated from less secure parts of the network.
Conclusion
The discovery of this new PlugX variant and its connections to RainyDay and Turian backdoors highlight the sophisticated tactics employed by Chinese-speaking threat actors. Organizations, particularly those in the telecommunications and manufacturing sectors, must remain vigilant and implement robust security measures to protect against these evolving threats.
References
For more detailed information, please refer to the following external references:
