ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Report
Search
Home > List all groups > PKPLUG

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: PKPLUG

NamesPKPLUG (Palo Alto)
CountryChina China
MotivationInformation theft and espionage
First seen2016
Description(Palo Alto) For three years, Unit 42 has tracked a set of cyber espionage attack campaigns across Asia, which used a mix of publicly available and custom malware. Unit 42 created the moniker “PKPLUG” for the threat actor group, or groups, behind these and other documented attacks referenced later in this report. We say group or groups as our current visibility doesn’t allow us to determine with high confidence if this is the work of one group, or more than one group which uses the same tools and has the same tasking. The name comes from the tactic of delivering PlugX malware inside ZIP archive files as part of a DLL side-loading package. The ZIP file format contains the ASCII magic-bytes “PK” in its header, hence PKPLUG.
ObservedSectors: Government, Healthcare.
Countries: China, Indonesia, Mongolia, Myanmar, Taiwan, Tibet, Vietnam.
Tools used9002 RAT, Farseer, HenBox, PlugX, Poison Ivy, THOR, Zupdax.
Operations performedMar 2021THOR: Previously Unseen PlugX Variant Deployed During Microsoft Exchange Server Attacks by PKPLUG Group
<https://unit42.paloaltonetworks.com/thor-plugx-variant/>
Information<https://unit42.paloaltonetworks.com/pkplug_chinese_cyber_espionage_group_attacking_asia/>
Playbook<https://pan-unit42.github.io/playbook_viewer/?pb=pkplug>

Last change to this card: 09 August 2021

Download this actor card in PDF or JSON format

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]