Researchers have appear a ahead undocumented threat actor of Chinese origin that has run at least six altered cyber espionage campaigns in the Southeast Asian region since 2013.

The findings — appear by Palo Alto Networks’ threat intelligence team Unit 42 — linked the attacks to a group (or groups) it called PKPLUG, named after its tactic of carrying PlugX malware inside ZIP files, which are articular with the signature “PK.”

The ambiguity in its allegation is because “our accepted afterimage doesn’t allow us to actuate with high aplomb if this is the work of one group, or more than one group which uses the same tools and has the same tasking,” Unit 42 said.

PKPLUG has been found to install backdoor Trojan implants on victim systems, including mobile devices, for tracking and acquisition information, although their ultimate motives are as yet unclear.

Their main targets accommodate Myanmar, Taiwan, Vietnam, and Indonesia, along with Mongolia, Tibet, and Xinjiang, all three of which are known for their advancing relations with China. Xinjiang province, in particular, is home to the country’s Uyghur Muslim minority, a association that has been the accountable of animality and acute surveillance in recent years.

“This group (or groups) has a long history and series of creating custom tools which implies they are persistent, and well-resourced,” Unit 42’s Alex Hinchliffe told TNW. “For example, the conception and use of a custom Android malware […] may announce their targets crave unique absorption based on accustomed operating systems used or that they need that adequacy generally. This group(s) is accommodating in what they work toward.”

PKPLUG modus operandi

Unit 42’s report combines its own analysis with those appear by other cybersecurity firms such as Blue Coat Labs and Arbor Networks to piece calm a timeline of PKPLUG’s malware-based tactics, techniques, and procedures (TTPS).

The ancient accepted PKPLUG attack is said to have occurred in November 2013, when they were found to target Mongolian individuals with PlugX malware. Three years later, they were caught using Poison Ivy malware adjoin Myanmar and other Asian countries.

That same year, Unit 42 appear attacks via spear phishing emails used to download a ZIP filed hosted on Google Drive that loaded a Trojan to accommodation victim devices.

In early 2018, the firm apparent a new malware family — called HenBox — that masqueraded as a accepted Android app to primarily target the Uyghurs and accommodation Xiaomi accessories with a goal to autumn approachable phone calls to China and access the phone’s microphone and camera.

Interestingly, the analysis gave away one of PKPLUG’s other tricks to lure biting users: make the espionage app accessible on a third-party Android app store, and even pose as a VPN app named DroidVPN to get them to download it.


VPN apps are how citizens in China get around the Great Firewall, and the fact that they were active as an attack vector is apocalyptic of cybercriminals’ addiction of more cyberbanking on users’ trust in security-related apps to install malware.

Fast advanced to February 2019, Unit 42 baldheaded the group’s use of a Windows backdoor known as Farseer, which leveraged sideloaded libraries to install awful payloads — a common address that connects their disparate campaigns.

PKPLUG’s reuse of domain names and IP addresses also helped strengthen the overlaps amid the altered cyber offensives, the analysis noted.

The need for endpoint security

Details of PKPLUG’s busy cyber espionage attacks come merely days after Check Point Analysis appear a agnate data-stealing attack directed at Southeast Asia undertaken by a Chinese hacking group called Rancor.

Asked if these state-sponsored actors could be alive in tandem to enable targeted operations on a large-scale, Hinchliffe told TNW: “We’ve seen nation-states, like Russia, hire assorted groups to lead out attacks, and while it’s accessible in this scenario, we don’t have enough data at this time to make that assumption.”

In accession to alienated downloading apps from third-party Android stores, Hinchliffe recommends businesses secure their arrangement endpoints, and appraise their BYOD (short for “bring your own device”) behavior by attached device access to the network.

Although this latest analysis offers a peek into PKPLUG’s activities, it’s far from a absolute picture.

Read next: Study: Ocean ecosystems take 2 actor years to balance after mass afterlife