A new variant of the PlugX remote access trojan (RAT), also known as Korplug or SOGU, is being deployed in an ongoing cyber campaign against telecommunications and manufacturing organizations across Central and South Asia, as well as ASEAN-linked entities, according to Cisco Talos and Palo Alto Networks’ Unit 42. This variant exhibits behaviors similar to other advanced backdoors, including RainyDay and Turian, and demonstrates a modular architecture that allows attackers to dynamically load additional payloads.
Key targets include telecom providers and manufacturing firms in nations such as Kazakhstan and Uzbekistan, which manage critical infrastructure, hold proprietary subscriber data, and oversee industrial control systems, making them high-value objectives for espionage, supply-chain compromise, and persistent access.
Attackers exploit legitimate software, such as the Mobile Popup Application, to carry out DLL side-loading, allowing malicious libraries to be loaded into system memory and execute PlugX, RainyDay, and Turian payloads. The PlugX variant utilizes the XOR-RC4-RtlDecompressBuffer algorithm with embedded RC4 keys and includes a keylogger module. At the same time, the Bookworm malware, linked to Mustang Panda, communicates through legitimate-appearing or compromised domains and packages its shellcode in UUID strings, complicating detection. Analysts have also noted overlapping tactics and malware usage among Chinese-speaking threat groups, including Lotus Panda (also known as Naikon APT) and BackdoorDiplomacy, hinting at shared toolsets or a common malware provider.
The campaign puts customer data, credentials, and operational information at risk while enabling covert, long-term access for lateral movement. Compromise of telecom networks or industrial systems could disrupt operations or result in intellectual property theft, with cross-border intelligence-gathering potential.
Experts emphasize the importance of a layered defense approach, that includes hardening applications and DLLs, improving endpoint monitoring, closely analyzing network traffic for unusual activity, enforcing network segmentation and strict access controls, conducting proactive threat-hunting, and maintaining careful oversight of vendor and supply-chain updates.
The campaign highlights the increasing sophistication of Chinese-aligned threat actors in their focus on high-value industrial and telecommunications targets. For organizations across Central and South Asia and the wider ASEAN region, enhancing visibility, strengthening defenses, segmenting critical networks, and engaging in proactive threat-hunting have become essential steps to reduce exposure and manage ongoing risk.
Caught feelings for cybersecurity? It’s okay, it happens. Follow us on LinkedIn and Instagram to keep the spark alive.
