Recently, our team identified the use of the PlugX Trojan (MITRE ID: S0013) within Italian corporate systems. The Trojan managed to infiltrate the target systems through the use of an infected USB device.

The system compromise is executed through the techniques of Replication Through Removable Media (T1091) and DLL Side-Loading (T1073).

In recent months, several technical articles have been published concerning the use of the PlugX Trojan. A recent analysis revealed that the Trojan has been enhanced with the HTML Smuggling technique, used in the initial phase of compromising the victim system.

This technique involves sending phishing emails containing attached files that hold JavaScript code capable of automatically downloading the malware.

PlugX, also known as Destroy RAT, Kaba, Korplug, Sogu, TIGERPLUG, and RedDelta, has been in existence since 2008 and is categorized as a Remote Access Trojan (RAT). Over time, it has undergone continuous modifications and improvements to evade security defenses.

The reuse of parts of its code by various Threat Actors has contributed to the malware’s spread, leading to numerous different versions.

Some analyses of this malware (by TrendMicro and Sophos) associate it with operations of Chinese APT groups. Its use has often been observed in compromises involving critical sectors such as the energy industry, defense, technology, the financial sector, and government institutions.

Recently, the focus of these Threat Actors has been shifting towards European entities, which are victims of an increasing number of attacks.


The variant of PlugX observed by our team exploits the execution of a .lnk file contained within a compromised USB device. When the user clicks on this file, the following command is executed:

"C:\Windows\System32\cmd.exe" /q /c " \ \RECYCLER.BIN\files\x32dbg.exe"

This executes the legitimate software “x32dbg.exe”, associated with the loading of the malicious dll “x32bridge.dll”.

This mechanism is known as “DLL Side-Loading” (T1073) and involves creating a malicious DLL with the same name as a legitimate DLL, so that it is loaded by legitimate software without raising suspicion.

The information obtained from the analysis suggests that, in this specific case, it is not an attack aimed at compromising the involved organization, but rather an inadvertent result of previous compromises.

This variant of the trojan contacts the Command and Control (C2) server at the IP address 160.20.147[.]254 (Germany – ROUTERHOSTING).


The increased targeting of European users and the detection of the malware in Italy are indicators of an evolution and update in the attack patterns of PlugX. It represents a particularly complex and insidious threat, especially as it is used for espionage activities typical of various Advanced Persistent Threat (APT) groups. These groups carry out targeted attacks with specific objectives to extract sensitive information.

At the end of this article, we share the Indicators of Compromise (IOCs) associated with this threat.

Attack Patterns

T1218System Binary Proxy ExecutionAdversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries.
T1036MasqueradingMasquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses.
T1574Hijack Execution FlowAdversaries may execute their own malicious payloads by hijacking the way operating systems run programs.
T1202Indirect Command ExecutionAdversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
T1073DLL Side-LoadingAdversaries may execute their own malicious payloads by side-loading DLLs.
T1140Deobfuscate/Decode Files or InformationAdversaries may require separate mechanisms to decode or deobfuscate information depending on how they intend to use it.
T1603Scheduled Task/JobAdversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code.
T1547Boot or Logon Autostart ExecutionAdversaries may configure system settings to automatically execute a program during system boot to maintain persistence on compromised systems.
T1204User ExecutionAn adversary may rely upon specific actions by a user to gain execution.

Indicator of Compromise (IOC)

dismcore.dllWin32 DLLb4f1cae6622cd459388294afb418cb0af7a5cb82f367933e57ab8c1fb0a8a8a7
x32bridge.dllWin32 DLL0490ceace858ff7949b90ab4acf4867878815d2557089c179c9971b2dd0918b9
hex.dllWin32 DLLa75598a76d2df2afc747757d3ec278285c5262fadf654be2243f8e08762dbcea
mpsvc.dllWin32 DLL2e5412c25b53b9f86dd03ef44db66ed02bf7f984ac012f439efdc1835a05e6b3
msvcp120.dllWin32 DLL(legittimo)
msvcr120.dllWin32 DLL(legittimo)
AUG.exeapplication/x-ms-dos-exec(legittimo) 6e8ebf5ec6999883b82b9b41fcd53a4266b236e86cb41fbc450a3b7c64e708c0
Removable Disk(3GB).lnkapplication/octet-streamed63ec38d8c35a140a061a2af4df7ed7751ab17d84f322969b8d18abd38cf17c

Related articles