 |
สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์ Electronic Transactions Development Agency |
|
สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์ Electronic Transactions Development Agency |
APT group: PKPLUG| Names | PKPLUG (Palo Alto) | |
| Country |  China | |
| Motivation | Information theft and espionage | |
| First seen | 2016 | |
| Description | (Palo Alto) For three years, Unit 42 has tracked a set of cyber espionage attack campaigns across Asia, which used a mix of publicly available and custom malware. Unit 42 created the moniker “PKPLUG” for the threat actor group, or groups, behind these and other documented attacks referenced later in this report. We say group or groups as our current visibility doesn’t allow us to determine with high confidence if this is the work of one group, or more than one group which uses the same tools and has the same tasking. The name comes from the tactic of delivering PlugX malware inside ZIP archive files as part of a DLL side-loading package. The ZIP file format contains the ASCII magic-bytes “PK” in its header, hence PKPLUG. | |
| Observed | Sectors: Government, Healthcare. Countries: China, Indonesia, Mongolia, Myanmar, Taiwan, Tibet, Vietnam. | |
| Tools used | 9002 RAT, Farseer, HenBox, PlugX, Poison Ivy, THOR, Zupdax. | |
| Operations performed | Mar 2021 | THOR: Previously Unseen PlugX Variant Deployed During Microsoft Exchange Server Attacks by PKPLUG Group <https://unit42.paloaltonetworks.com/thor-plugx-variant/> |
| Information | <https://unit42.paloaltonetworks.com/pkplug_chinese_cyber_espionage_group_attacking_asia/> | |
| Playbook | <https://pan-unit42.github.io/playbook_viewer/?pb=pkplug> | |
Last change to this card: 09 August 2021
Download this actor card in PDF or JSON format
Previous: PittyTiger, Pitty Panda
Next: Platinum
|
Digital Service Security Center Follow us on
|
Report incidents |
|
 |
+66 (0)2-123-1227 | |
 |
[email protected] | |