PlugX Meeting Invitation via MSBuild and GDATA Threat Report

Threat Overview

On 2026-02-27, CyberHunter_NL released a detailed threat report titled PlugX Meeting Invitation via MSBuild and GDATA. The report documents a sophisticated spear‑phishing campaign that leverages a legitimate G DATA antivirus executable and the Windows build tool MSBuild.exe to deliver a PlugX remote access trojan (RAT). The adversary group behind the activity remains unnamed, but the methodology and code signatures strongly correlate with known China‑aligned threat actors such as Mustang Panda, APT41, and APT10.

Initial Compromise Vector

The attack chain begins with a phishing e‑mail titled “Meeting Invitation” that contains two hyperlinks. The first link redirects to the Ministry of Foreign Affairs of Iceland, serving as a social‑engineering hook. The second link initiates the download of a ZIP archive named Invitation_Letter_No.02_2026.zip which contains five files: a malicious .csproj project file, a .exe launcher, a legitimate G DATA executable (Avk.exe), a DLL (Avk.dll) identified as a PlugX variant, and an encrypted data file (AVKTray.dat). The .exe uses MSBuild.exe – a legitimate Windows component – as a living off the land binary to execute the .csproj script, thereby obfuscating the loader execution.

Execution Flow and DLL Side‑Loading

Once the ZIP is unpacked, the launcher runs Invitation_Letter_No.02_2026.exe, which triggers MSBuild.exe to compile and execute the .csproj. The compiled output loads Avk.exe, which in turn performs DLL side‑loading by invoking Avk.dll. The loader obtains the name of the encrypted payload (AVKTray.dat) from an XOR‑encoded string in its .rdata section using key 0x7F. The payload is then decrypted with XOR key 0x4F, producing a binary that contains a decoy PDF overlay and a set of API calls to establish persistence and C2 communication.

Persistence and Command & Control

Persistence is achieved by writing a registry entry under HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run with the key name “G DATA”. The value points to C:\Users\Public\GDatas\Avk.exe along with two numeric arguments that the loader forwards to the DLL. The DLL contacts the command and control server at https://decoraat.net:443 using HTTPS over port 443. The configuration file, once decrypted, reveals an RC4 key (fzsbnWTgLLq) that is used to encrypt the C2 URL. The loader also creates a series of temporary files with random names in the %TEMP% folder; these are removed immediately after use to reduce forensic footprints.

Obfuscation and API Hashing

Both the loader and the injected payload use advanced obfuscation techniques. Avk.dll employs DJB2‑based API hashing to resolve function addresses at runtime, while the injected code uses a custom ROL‑19 hashing mechanism. This indirection prevents static analysis tools from matching known API references. The loader also embeds the decoy PDF directly into the DLL overlay, a tactic that has been consistently used by PlugX to provide a convincing user interface while keeping malicious logic consolidated.

Indicators of Compromise

Key IOCs include:

  • File hashes: AVKTray.dat (e7ed0cd4…), Avk.dll (46314092…), AVK.exe (8421e799…), Invitation_Letter_No.02_2026.zip (29cd44aa…), Invitation_Letter_No.02_2026.csproj (de8ddc24…), Invitation_Letter_No.02_2026.exe (5f9af68d…)
  • Registry persistence: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\G DATA
  • Network indicators: https://decoraat.net:443, https://onedow.gesecole.net/download
  • Process and file paths: C:\Users\Public\GDatas\Avk.exe, %TEMP%\[random_folder]

Mitigation Recommendations

  1. Educate users: Train employees to recognize spear‑phishing emails that use official or diplomatic language and verify URLs before clicking.
  2. Endpoint detection: Deploy EDR solutions that flag DLL side‑loading activity, especially when a legitimate executable loads a DLL from an unexpected location.
  3. Application whitelisting: Enforce strict rules that block the execution of unapproved binaries in the Public folder and restrict MSBuild.exe usage to known build environments.
  4. Registry monitoring: Continuously monitor changes to HKCU\Software\Microsoft\Windows\CurrentVersion\Run and alert on new keys named “G DATA” or similar.
  5. Network segmentation: Isolate critical systems from the internet and inspect outbound HTTPS traffic for connections to unfamiliar domains such as decoraat.net.
  6. File integrity checks: Use hash‑based detection to identify known malicious DLLs and executables in real time.

Conclusion

The PlugX variant described in this report demonstrates a mature blend of social engineering, legitimate software abuse, and advanced obfuscation. By leveraging a legitimate antivirus executable and MSBuild.exe, the adversary can bypass many traditional detection mechanisms while maintaining the appearance of legitimate activity. Defensive measures must focus on user awareness, rigorous application control, and continuous monitoring of registry changes and outbound HTTPS traffic. Staying abreast of the evolving PlugX codebase, especially its filename obfuscation and API hashing techniques, will be essential for early detection and mitigation in the coming months.

Looking for the Best Cyber Security?

Seamlessly integrate local and cloud resources with our comprehensive cybersecurity services. Protect user traffic at endpoints using advanced security solutions like threat hunting and endpoint protection. Build a scalable network infrastructure with continuous monitoring, incident response, and compliance assessments.

Contact Us

Copyright © 2025 ESSGroup

Discover more from ESSGroup

Subscribe now to keep reading and get access to the full archive.

Continue reading