PlugX malware targets Asian telecom and manufacturing sectors

China-Linked PlugX and Bookworm Malware Attacks Target Asian Telecom and ASEAN Networks Telecommunications and manufacturing sectors in Central and South Asian countries have emerged as the target of an ongoing campaign distributing a new variant of a known malware called PlugX (aka Korplug or SOGU). "The new variant's features overlap with both the RainyDay and Turian backdoors, including abuse of the same legitimate applications for DLL side-loading, the XOR-RC4-RtlDecompressBuffer algorithm used to encrypt/decrypt payloads and the RC4 keys used," Cisco Talos researchers Joey Chen and Takahiro Takeda said in an analysis published this week. The cybersecurity company noted that the configuration associated with the PlugX variant diverges significantly from the usual PlugX configuration format, instead adopting the same structure used in RainyDay, a backdoor associated with a China-linked threat actor known as Lotus Panda (aka Naikon APT). It's also likely tracked by Kaspersky as FoundCore and attributed to a Chinese-speaking threat group it calls Cycldek. https://lnkd.in/dup-2vW6 Stay Connected to Nishan Singh, CISA, MBA for latest cyber security information. #EXL #Exlservice #linkedin #cybersecurity #technologycontrols #infosec #informationsecurity #GenAi #linkedintopvoices #cybersecurityawareness #innovation #techindustry #VulnerabilityAssessment #ApplicationSecurity #SecureCoding #cyber #communitysupport #womenintech #technology #security #cloud #infosec #riskassessment #informationsecurity #auditmanagement #informationprotection #securityaudit #cyberrisks #cloudsecurity #trends #grc #leadership #socialmedia #digitization #education #Hacking #privacy #datasecurity #passwordmanagement #identitytheft #phishingemails #holidayseason #bankfraud #personalinformation #creditfraud

China-Linked PlugX and Bookworm Malware Attacks Target Asian Telecom and ASEAN Networks Telecommunications and manufacturing sectors in Central and South Asian countries have emerged as the target of an ongoing campaign distributing a new variant of a known malware called PlugX (aka Korplug or SOGU). "The new variant's features overlap with both the RainyDay and Turian backdoors, including abuse of the same legitimate applications for DLL side-loading, the XOR-RC4-RtlDecompressBuffer algorithm used to encrypt/decrypt payloads and the RC4 keys used," Cisco Talos researchers Joey Chen and Takahiro Takeda said in an analysis published this week. The cybersecurity company noted that the configuration associated with the PlugX variant diverges significantly from the usual PlugX configuration format, instead adopting the same structure used in RainyDay, a backdoor associated with a China-linked threat actor known as Lotus Panda (aka Naikon APT). It's also likely tracked by Kaspersky as FoundCore and attributed to a Chinese-speaking threat group it calls Cycldek. https://lnkd.in/gPsWkiG3 Please follow Sakshi Sharma for such content. #DevSecOps, #CyberSecurity, #DevOps, #SecOps, #SecurityAutomation, #ContinuousSecurity, #SecurityByDesign, #ThreatDetection, #CloudSecurity, #ApplicationSecurity, #DevSecOpsCulture, #InfrastructureAsCode, #SecurityTesting, #RiskManagement, #ComplianceAutomation, #SecureSoftwareDevelopment, #SecureCoding, #SecurityIntegration, #SecurityInnovation, #IncidentResponse, #VulnerabilityManagement, #DataPrivacy, #ZeroTrustSecurity, #CICDSecurity, #SecurityOps

🚨 Cybersecurity Alert: Chinese APT Phantom Taurus Attacks Organizations with NETSTAR Malware 🔒 In the cybersecurity threat landscape, an advanced persistent threat (APT) group of Chinese origin, known as Phantom Taurus (also referred to as Mustang Panda), has intensified its operations targeting key organizations. This campaign, detected since July 2023, uses a .NET-based malware loader called NETSTAR to infiltrate sensitive networks, primarily in the telecommunications, IT, and other critical industries in the Asia-Pacific and Middle East regions. 📡 Technical Details of the Threat NETSTAR acts as an initial component that downloads and executes additional payloads, allowing attackers to establish persistent control. Infection vectors include spear-phishing emails with malicious attachments disguised as legitimate documents, such as LNK or ISO files that evade traditional detections. 🔍 Key Malware Features - 🛡️ Advanced Obfuscation: NETSTAR employs .NET obfuscation techniques to hide its code and resist static analysis, using libraries like ConfuserEx. - 📤 Payload Downloads: Once executed, it connects to command and control (C2) servers to retrieve secondary modules, including backdoors and data collection tools. - 🎯 Specific Targets: Victims include telecommunications providers in countries like India, Pakistan, and Thailand, with possible extensions to the Middle East, focusing on industrial and governmental espionage. - ⚡ Persistence: It implements methods such as scheduled tasks and registry modifications to remain active on compromised Windows systems. This threat highlights the evolution of state-sponsored APTs in using .NET frameworks for malware, complicating detection in corporate environments. Organizations in critical sectors must prioritize security updates, anti-phishing training, and monitoring for unusual network traffic. For more information visit: https://enigmasecurity.cl #Cybersecurity #Malware #APT #PhantomTaurus #NETSTAR #CyberThreats #Telecommunications #DigitalEspionage Connect with me on LinkedIn to discuss defense strategies: https://lnkd.in/eFb3bY4C 📅 Wed, 01 Oct 2025 12:21:11 +0000 🔗Subscribe to the Membership: https://lnkd.in/eh_rNRyt

**China-Linked PlugX and Bookworm Malware Target Asian Telecoms** Please read the original article at https://lnkd.in/d32V9rVW Cybersecurity researchers from Cisco Talos and Palo Alto Networks have uncovered a new wave of cyberattacks targeting telecommunications and manufacturing firms in Central and South Asia. The attacks deploy a new variant of PlugX, a known remote access trojan (RAT), along with other Chinese-linked malware like RainyDay, Turian, and Bookworm. PlugX, mostly used by China-aligned groups such as Mustang Panda, now shows significant overlap with malware used by threat actors Lotus Panda (Naikon APT) and BackdoorDiplomacy. These adversaries employ DLL side-loading through legitimate apps to execute malicious payloads, which include embedded keyloggers and advanced exfiltration tools. Palo Alto's Unit 42 also highlighted Mustang Panda’s continued use of Bookworm, a modular RAT that enables full control of infected systems and utilizes stealth tactics like malicious UUID-encoded shellcode. These campaigns are particularly aimed at ASEAN countries. Despite unclear attribution, overlapping tactics strongly suggest a shared toolkit or vendor among Chinese-speaking threat actors. Security teams should pay close attention to DLL hijacking techniques and cross-regional targeting patterns, as these attacks are ongoing and evolving.

Researchers Identify PassiveNeuron APT Using Neursite and NeuralExecutor Malware Government, financial, and industrial organizations located in Asia, Africa, and Latin America are the target of a new campaign dubbed PassiveNeuron, according to findings from Kaspersky. The cyber espionage activity was first flagged by the Russian cybersecurity vendor in November 2024, when it disclosed a set of attacks aimed at government entities in Latin America and East Asia in June, using never-before-seen malware families tracked as Neursite and NeuralExecutor. It also described the operation as exhibiting a high level of sophistication, with the threat actors leveraging already compromised internal servers as an intermediate command-and-control (C2) infrastructure to fly under the radar. "The threat actor is able to move laterally through the infrastructure and exfiltrate data, optionally creating virtual networks that allow attackers to steal files of interest even from machines isolated from the internet," Kaspersky noted at the time. "A plugin-based approach provides dynamic adaptation to the attacker's needs." https://lnkd.in/daAKkGFb Stay Connected to Nishan Singh, CISA, MBA for latest cyber security information. #EXL #Exlservice #linkedin #cybersecurity #technologycontrols #infosec #informationsecurity #GenAi #linkedintopvoices #cybersecurityawareness #innovation #techindustry #VulnerabilityAssessment #ApplicationSecurity #SecureCoding #cyber #communitysupport #womenintech #technology #security #cloud #infosec #riskassessment #informationsecurity #auditmanagement #informationprotection #securityaudit #cyberrisks #cloudsecurity #trends #grc #leadership #socialmedia #digitization #education #Hacking #privacy #datasecurity #passwordmanagement #identitytheft #phishingemails #holidayseason #bankfraud #personalinformation #creditfraud

Researchers Identify PassiveNeuron APT Using Neursite and NeuralExecutor Malware Government, financial, and industrial organizations located in Asia, Africa, and Latin America are the target of a new campaign dubbed PassiveNeuron, according to findings from Kaspersky. The cyber espionage activity was first flagged by the Russian cybersecurity vendor in November 2024, when it disclosed a set of attacks aimed at government entities in Latin America and East Asia in June, using never-before-seen malware families tracked as Neursite and NeuralExecutor. It also described the operation as exhibiting a high level of sophistication, with the threat actors leveraging already compromised internal servers as an intermediate command-and-control (C2) infrastructure to fly under the radar. "The threat actor is able to move laterally through the infrastructure and exfiltrate data, optionally creating virtual networks that allow attackers to steal files of interest even from machines isolated from the internet," Kaspersky noted at the time. "A plugin-based approach provides dynamic adaptation to the attacker's needs." https://lnkd.in/efdSirhv Stay Connected to Sidharth Sharma, CPA, CISA, CISM, CFE, CDPSE for content related to Cyber Security. #CyberSecurity #JPMC #Technology #InfoSec #DataProtection #DataPrivacy #ThreatIntelligence #CyberThreats #NetworkSecurity #CyberDefense #SecurityAwareness #ITSecurity #SecuritySolutions #CyberResilience #DigitalSecurity #SecurityBestPractices #CyberRisk #SecurityOperations 

🇺🇦 As someone from Ukraine, reading the latest SSSCIP report hits close to home. In just the first half of 2025, over 3,000 cyber incidents were recorded — many powered by AI-driven phishing and malware crafted by Russia-linked threat actors. 🤖⚠️ Attackers are now using AI to write code, generate fake emails, and even automate data theft. It’s both impressive and deeply concerning — a reminder that cyberwar isn’t just about firewalls anymore, it’s about adaptation and vigilance. 💡 For those of us defending networks every day, tools like #openvasscan of OPENVAS S.r.l. (Gruppo Greenbone) and continuous vulnerability management are no longer optional — they’re essential. The faster we detect and patch weaknesses, the harder we make it for these actors to succeed. What’s encouraging is that Ukraine’s cyber defenders — CERT-UA and SSSCIP — continue to evolve, counter, and share knowledge globally. 💪 Every incident teaches us, every response makes us stronger. Слава Україні 💙💛 https://lnkd.in/dFB9u5ZG #CyberSecurity #Ukraine #AI #CyberResilience #OPENVAS #openvasscan #Infosec #CyberDefense

In today's cyber security news, Group‑IB, the state-sponsored Iranian actor MuddyWater targeted over 100 government organizations, deploying version 4 of the Phoenix backdoor in a multi-layered campaign. Attack vectors are still rooted in classic weaknesses: this campaign started with phishing emails containing malicious word docs and macros. The adversary didn’t rely on one threat vector either: once the loader executed the Phoenix backdoor, it moved to credential theft (via stolen browser data) and remote monitoring/management tools to maintain it's persistence. Talk about complex. What are your thoughts: what security control do you still see being overlooked? Article linked below: 👇 https://lnkd.in/ePr6r47n #cybersecurity #infosec #threatintel #cyberrisk #governmentsafety #bleepingcomputer #cyber #nationstate #infosec #dataprotection #cyberthreats #commandandcontrols #c2 #zerotrust #cloudsecurity #cyberrisk #technology #defenseindepth

A Russian cybersecurity firm said it has found evidence that spyware developed by Italy’s Memento Labs — formerly known as the controversial Hacking Team — was likely used in attacks on organizations in Russia and Belarus.

Russian hackers' adoption of artificial intelligence (AI) in cyber attacks against Ukraine has reached a new level in the first half of 2025 (H1 2025), the country's State Service for Special Communications and Information Protection (SSSCIP) said. "Hackers now employ it not only to generate phishing messages, but some of the malware samples we have analyzed show clear signs of being generated