S0013: PlugX
Analyst context for executives and security teams
PlugX matters because ATT&CK describes it as a Windows remote access tool with modular plugins and many historical relationships to campaigns and threat groups. For leaders, the key decision is not whether the name alone is detected, but whether the organization can prove visibility into the Windows behaviors ATT&CK links to it: discovery, registry querying, masqueraded services or tasks, and obfuscated or encoded files.
Executive priority
Treat PlugX as a resilience and readiness test for Windows endpoint monitoring, incident response triage, and threat-intelligence validation. Its many ATT&CK relationships mean a PlugX finding should trigger careful scoping and evidence preservation, but not automatic attribution. Executives should ask whether SOC and IR teams can quickly answer: which hosts executed suspicious binaries, what users and network settings were enumerated, whether registry and service/task changes occurred, and whether obfuscation limited inspection or control effectiveness.
Technical view
ATT&CK does not provide an official detection section for PlugX, so defenders should validate coverage against the linked techniques rather than rely on a malware name. Focus on Windows telemetry for Query Registry, System Owner/User Discovery, masqueraded tasks or services, and suspicious discovery of network configuration. Because PlugX is associated with obfuscation, binary padding, dynamic API resolution, and encrypted or encoded files, detection engineering should combine behavioral endpoint signals with file inspection limits and tuning for suspicious service/task naming rather than hash-only matching.
Likely telemetry
- Windows endpoint process creation and command-line activity
- Registry query events and registry access telemetry
- Windows service and scheduled task creation, modification, names, and descriptions
- File creation, modification, size anomalies, encoded/encrypted content indicators, and malware-analysis metadata
- Endpoint detection telemetry for dynamic API resolution or suspicious runtime behavior where available
Detection direction
- Validate detections for the ATT&CK-linked behaviors: registry queries, user discovery, network configuration discovery, masqueraded services/tasks, and obfuscated or encoded files.
- Avoid relying only on hashes or static signatures because the linked obfuscation techniques include binary padding, encrypted/encoded files, and dynamic API resolution.
- Tune service and task detections for names or descriptions that imitate legitimate administration artifacts, while accounting for legitimate IT automation to reduce false positives.
- Correlate endpoint discovery behavior with file-obfuscation indicators and unusual persistence-like service/task changes before escalating to malware-family-level conclusions.
- Use relationship context for threat-intelligence enrichment, but do not infer a specific group from PlugX alone because ATT&CK lists multiple groups and a campaign using it.
Mitigation priorities
- Prioritize complete Windows endpoint logging for process, registry, file, service, scheduled task, user, and network-configuration activity.
- Harden monitoring and approval workflows for new or modified services and scheduled tasks, especially where names resemble legitimate system or administrative components.
- Ensure malware analysis and file-control processes account for large, padded, encrypted, or encoded binaries that may evade hash-only or size-limited inspection.
- Prepare IR playbooks to scope suspected RAT activity by host, user, persistence mechanism, discovery activity, and outbound network evidence.
- Use ATT&CK relationships to inform threat hunting and intelligence requirements, while keeping attribution decisions evidence-based.
Analyst notes and limits
ATT&CK identifies PlugX as malware S0013, a Windows RAT with modular plugins used by multiple threat groups. The supplied relationships link PlugX to numerous groups and to RedDelta Modified PlugX Infection Chain Operations, whose description includes phishing delivery leading to PlugX loading. Technique relationships supplied for this object emphasize discovery and stealth behaviors.
The official ATT&CK object provides no detection text, no explicit tactics for the malware object, and only Windows as the malware platform. This take therefore focuses on supplied technique relationships and relationship context. Local telemetry, sample analysis, and incident evidence are required before concluding exposure, detection coverage, impact, or attribution.
PlugX
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1622 | Debugger Evasion | PlugX has made calls to Windows API `CheckRemoteDebuggerPresent` and exits if it detects a debugger.CitationSophos Mustang Panda PLUGX |
| Enterprise | T1112 | Modify Registry | PlugX has a module to create, delete, or modify Registry keys.CitationEset PlugX Korplug Mustang Panda March 2022CitationCIRCL PlugX March 2013CitationDOJ Affidavit Search and Seizure PlugX December 2024 |
| Enterprise | T1083 | File and Directory Discovery | PlugX has a module to enumerate drives and find files recursively.CitationEset PlugX Korplug Mustang Panda March 2022CitationCisco Talos MUSTANG PANDA PLUGX PUBLOAD MAY 2022CitationCIRCL PlugX March 2013CitationProofpoint TA416 Europe March 2022 PlugX has also checked the path from which it is running for specific parameters prior to execution. CitationEset PlugX Korplug Mustang Panda March 2022CitationDOJ Affidavit Search and Seizure PlugX December 2024CitationSophos Mustang Panda PLUGX |
| Enterprise | T1614 | System Location Discovery | PlugX has obtained the location of the victim device by leveraging `GetSystemDefaultLCID`.CitationEset PlugX Korplug Mustang Panda March 2022 |
| Enterprise | T1036.004 | Masquerade Task or Service Sub-technique | |
| Enterprise | T1091 | Replication Through Removable Media | PlugX has copied itself to infected removable drives for propagation to other victim devices.CitationDOJ Affidavit Search and Seizure PlugX December 2024 |
| Enterprise | T1480.002 | Mutual Exclusion Sub-technique | PlugX has leveraged a mutex in its infection process.CitationEset PlugX Korplug Mustang Panda March 2022CitationSophos Mustang Panda PLUGX |
| Enterprise | T1016 | System Network Configuration Discovery | PlugX has captured victim IP address details of the targeted machine.CitationEset PlugX Korplug Mustang Panda March 2022CitationDOJ Affidavit Search and Seizure PlugX December 2024 |
| Enterprise | T1564.001 | Hidden Files and Directories Sub-technique | |
| Enterprise | T1095 | Non-Application Layer Protocol | PlugX can be configured to use raw TCP or UDP for command and control.CitationEset PlugX Korplug Mustang Panda March 2022CitationDell TG-3390 |
| Enterprise | T1204.002 | Malicious File Sub-technique | PlugX has leveraged an initial executable disguised as a legitimate document to trick the target into opening it.CitationCisco Talos MUSTANG PANDA PLUGX PUBLOAD MAY 2022CitationEclecticIQ Mustang Panda PlugX |
| Enterprise | T1680 | Local Storage Discovery | PlugX has collected a list of all mapped drives on the infected host.CitationEset PlugX Korplug Mustang Panda March 2022 |
| Enterprise | T1056.001 | Keylogging Sub-technique | PlugX has a module for capturing keystrokes per process including window titles.CitationCIRCL PlugX March 2013 |
| Enterprise | T1102.001 | Dead Drop Resolver Sub-technique | PlugX uses Pastebin to store C2 addresses.CitationPalo Alto PlugX June 2017 |
| Enterprise | T1124 | System Time Discovery | PlugX has identified system time through its GetSystemInfo command.CitationEset PlugX Korplug Mustang Panda March 2022 |
| Enterprise | T1620 | Reflective Code Loading | PlugX has loaded its payload into memory.CitationEset PlugX Korplug Mustang Panda March 2022CitationEclecticIQ Mustang Panda PlugXCitationGoogle Threat Intelligence Group MUSTANG PANDA PLUGX August 2025CitationSophos PlugX September 2022CitationSophos Mustang Panda PLUGX |
| Enterprise | T1057 | Process Discovery | PlugX has a module to list the processes running on a machine.CitationCIRCL PlugX March 2013 |
| Enterprise | T1012 | Query Registry | PlugX can enumerate and query for information contained within the Windows Registry.CitationEset PlugX Korplug Mustang Panda March 2022CitationCIRCL PlugX March 2013CitationLastline PlugX Analysis |
| Enterprise | T1574.001 | DLL Sub-technique | PlugX has the ability to use DLL search order hijacking for installation on targeted systems.CitationProofpoint TA416 Europe March 2022CitationSophos PlugX September 2022 PlugX has also used DLL side-loading to evade anti-virus.CitationFireEye Clandestine Fox Part 2CitationDell TG-3390CitationStewart 2014CitationPWC Cloud Hopper Technical Annex April 2017CitationPalo Alto PlugX June 2017CitationTrend Micro DRBControl February 2020CitationProfero APT27 December 2020 PlugX has also used a legitimately signed executable to side-load a malicious payload within a DLL file.CitationEset PlugX Korplug Mustang Panda March 2022CitationCisco Talos MUSTANG PANDA PLUGX PUBLOAD MAY 2022CitationEclecticIQ Mustang Panda PlugXCitationSophos PlugX September 2022CitationSophos Mustang Panda PLUGX |
| Enterprise | T1070.009 | Clear Persistence Sub-technique | PlugX has deleted registry keys that store data and maintained persistence.CitationEset PlugX Korplug Mustang Panda March 2022 |
| Enterprise | T1135 | Network Share Discovery | PlugX has a module to enumerate network shares.CitationEset PlugX Korplug Mustang Panda March 2022CitationCIRCL PlugX March 2013 |
| Enterprise | T1127.001 | MSBuild Sub-technique | A version of PlugX loads as shellcode within a .NET Framework project using msbuild.exe, presumably to bypass application control techniques.CitationPalo Alto PlugX June 2017 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | PlugX can be configured to use HTTP for command and control.CitationEset PlugX Korplug Mustang Panda March 2022CitationDell TG-3390CitationEclecticIQ Mustang Panda PlugXCitationProofpoint TA416 Europe March 2022 PlugX has also used HTTPS for C2.CitationGoogle Threat Intelligence Group MUSTANG PANDA PLUGX August 2025 |
| Enterprise | T1543.003 | Windows Service Sub-technique | PlugX can be added as a service to establish persistence. PlugX also has a module to change service configurations as well as start, control, and delete services.CitationCIRCL PlugX March 2013CitationLastline PlugX AnalysisCitationPWC Cloud Hopper Technical Annex April 2017CitationFireEye APT10 April 2017CitationProofpoint ZeroT Feb 2017 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | PlugX allows actors to spawn a reverse shell on a victim.CitationEset PlugX Korplug Mustang Panda March 2022CitationCIRCL PlugX March 2013CitationDell TG-3390CitationEclecticIQ Mustang Panda PlugXCitationGoogle Threat Intelligence Group MUSTANG PANDA PLUGX August 2025CitationSophos PlugX September 2022 |
| Enterprise | T1105 | Ingress Tool Transfer | PlugX has a module to download and execute files on the compromised machine.CitationCIRCL PlugX March 2013CitationDOJ Affidavit Search and Seizure PlugX December 2024CitationGoogle Threat Intelligence Group MUSTANG PANDA PLUGX August 2025CitationProofpoint TA416 Europe March 2022 |
| Enterprise | T1686 | Disable or Modify System Firewall | PlugX has modified local firewall rules on victim machines to enable a random, high-number listening port for subsequent access and C2 activity.CitationSygnia VelvetAnt 2024A |
| Enterprise | T1082 | System Information Discovery | PlugX has collected system information including OS version, processor information, RAM size, location, host name, IP, and screen size of the infected host.CitationEset PlugX Korplug Mustang Panda March 2022 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | PlugX has collected and staged the victim’s computer files for exfiltration.CitationDOJ Affidavit Search and Seizure PlugX December 2024 |
| Enterprise | T1497.001 | System Checks Sub-technique | PlugX checks if VMware tools is running in the background by searching for any process named "vmtoolsd".CitationUnit42 PlugX June 2017 |
| Enterprise | T1049 | System Network Connections Discovery | PlugX has a module for enumerating TCP and UDP network connections and associated processes using the |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | PlugX has been disguised as legitimate Adobe and PotPlayer files.CitationProofpoint TA416 Europe March 2022 PlugX has also imitated legitimate software directories and file names through the creation and storage of a legitimate EXE and the malicious DLLs.CitationEset PlugX Korplug Mustang Panda March 2022CitationEclecticIQ Mustang Panda PlugXCitationSophos PlugX September 2022CitationSophos Mustang Panda PLUGX |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | PlugX adds Run key entries in the Registry to establish persistence.CitationEset PlugX Korplug Mustang Panda March 2022CitationCIRCL PlugX March 2013CitationDOJ Affidavit Search and Seizure PlugX December 2024CitationEclecticIQ Mustang Panda PlugXCitationPWC Cloud Hopper Technical Annex April 2017CitationSophos Mustang Panda PLUGXCitationLastline PlugX Analysis PlugX has established persistence via the registry keys `HKCU\Software\Microsoft\Windows\CurrentVersion\Run` and `HKLM\Software\Microsoft\Windows\CurrentVersion\Run`.CitationEset PlugX Korplug Mustang Panda March 2022 |
| Enterprise | T1027.001 | Binary Padding Sub-technique | PlugX has utilized junk code and opaque predicates in payloads to hinder analysis.CitationEset PlugX Korplug Mustang Panda March 2022 |
| Enterprise | T1071.004 | DNS Sub-technique | PlugX can be configured to use DNS for command and control.CitationDell TG-3390 |
| Enterprise | T1070.004 | File Deletion Sub-technique | PlugX has the remove itself and other artifacts.CitationEset PlugX Korplug Mustang Panda March 2022CitationDOJ Affidavit Search and Seizure PlugX December 2024 |
| Enterprise | T1113 | Screen Capture | PlugX allows the operator to capture screenshots.CitationCIRCL PlugX March 2013 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | PlugX has created a scheduled task to execute additional malicious software, as well as maintain persistence.CitationEset PlugX Korplug Mustang Panda March 2022 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | PlugX can use RC4 encryption in C2 communications.CitationEset PlugX Korplug Mustang Panda March 2022CitationProofpoint TA416 Europe March 2022 |
| Enterprise | T1571 | Non-Standard Port | PlugX has used random, high-number, non-standard ports to listen for subsequent actions and C2 activities.CitationSygnia VelvetAnt 2024A |
| Enterprise | T1027.007 | Dynamic API Resolution Sub-technique | PlugX has leveraged obfuscated Windows API function calls that were concealed as unique names, or hashes of the Windows API.CitationEset PlugX Korplug Mustang Panda March 2022 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | PlugX decompresses and decrypts itself using the Microsoft API call RtlDecompressBuffer.CitationCIRCL PlugX March 2013CitationTrend Micro DRBControl February 2020CitationProofpoint TA416 Europe March 2022 PlugX has also decrypted its payloads in memory.CitationEset PlugX Korplug Mustang Panda March 2022CitationCisco Talos MUSTANG PANDA PLUGX PUBLOAD MAY 2022CitationEclecticIQ Mustang Panda PlugXCitationSophos Mustang Panda PLUGX |
| Enterprise | T1564.003 | Hidden Window Sub-technique | PlugX has the ability to execute a command on a hidden desktop.CitationEset PlugX Korplug Mustang Panda March 2022 |
| Enterprise | T1120 | Peripheral Device Discovery | PlugX can identify removable media attached to compromised hosts.CitationDOJ Affidavit Search and Seizure PlugX December 2024 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | PlugX has exfiltrated stolen data and files to its C2 server.CitationDOJ Affidavit Search and Seizure PlugX December 2024CitationSophos PlugX September 2022 |
| Enterprise | T1106 | Native API | PlugX can use the Windows API functions `GetProcAddress`, `LoadLibrary`, and `CreateProcess` to execute another process.CitationEset PlugX Korplug Mustang Panda March 2022CitationProofpoint TA416 Europe March 2022CitationLastline PlugX Analysis |
| Enterprise | T1027 | Obfuscated Files or Information | PlugX can use API hashing and modify the names of strings to evade detection.CitationTrend Micro DRBControl February 2020CitationProofpoint TA416 Europe March 2022 |
| Enterprise | T1033 | System Owner/User Discovery | PlugX has the ability to gather the username from the victim’s machine.CitationEset PlugX Korplug Mustang Panda March 2022 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | PlugX has leveraged XOR encryption with the key of 123456789.CitationEset PlugX Korplug Mustang Panda March 2022 |
Groups, software, and campaigns
G1047: Velvet Ant
Velvet Ant is a threat actor operating since at least 2021. Velvet Ant is associated with complex persistence mechanisms, the targeting of network devices and appliances during operations, and the use of zero day exploits.[1][2]
G1034: Daggerfly
Daggerfly is a People's Republic of China-linked APT entity active since at least 2012. Daggerfly has targeted individuals, government and NGO entities, and telecommunication companies in Asia and Africa. Daggerfly is associated with exclusive use of MgBot malware and is noted for several potential supply chain infection campaigns.[1][2][3][4]
G0096: APT41
APT41 is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, APT41 has been observed targeting various industries, including but not limited to healthcare, telecom, technology, finance, education, retail and video game industries in 14 countries.[1] Notable behaviors include using a wide range of malware and tools to complete mission objectives. APT41 overlaps at least partially with public reporting on groups including BARIUM and Winnti Group.[2][3]
G0022: APT3
APT3 is a China-based threat group that researchers have attributed to China's Ministry of State Security.[1][2] This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap.[1][3] As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong.[4]
G0126: Higaisa
Higaisa is a threat group suspected to have South Korean origins. Higaisa has targeted government, public, and trade organizations in North Korea; however, they have also carried out attacks in China, Japan, Russia, Poland, and other nations. Higaisa was first disclosed in early 2019 but is assessed to have operated as early as 2009.[1][2][3]
G0027: Threat Group-3390
Threat Group-3390 is a Chinese threat group that has extensively used strategic Web compromises to target victims.[1] The group has been active since at least 2010 and has targeted organizations in the aerospace, government, defense, technology, energy, manufacturing and gambling/betting sectors.[2][3][4]
G1021: Cinnamon Tempest
Cinnamon Tempest is a China-based threat group that has been active since at least 2021 deploying multiple strains of ransomware based on the leaked Babuk source code. Cinnamon Tempest does not operate their ransomware on an affiliate model or purchase access but appears to act independently in all stages of the attack lifecycle. Based on victimology, the short lifespan of each ransomware variant, and use of malware attributed to government-sponsored threat groups, Cinnamon Tempest may be motivated by intellectual property theft or cyberespionage rather than financial gain.[1][2][3][4]
G0093: GALLIUM
GALLIUM is a cyberespionage group that has been active since at least 2012, primarily targeting telecommunications companies, financial institutions, and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam. This group is particularly known for launching Operation Soft Cell, a long-term campaign targeting telecommunications providers.[1] Security researchers have identified GALLIUM as a likely Chinese state-sponsored group, based in part on tools used and TTPs commonly associated with Chinese threat actors.[1][2][3]
G0001: Axiom
Axiom is a suspected Chinese cyber espionage group that has targeted the aerospace, defense, government, manufacturing, and media sectors since at least 2008. Some reporting suggests a degree of overlap between Axiom and Winnti Group but the two groups appear to be distinct based on differences in reporting on TTPs and targeting.[1][2][3]
G0045: menuPass
menuPass is a threat group that has been active since at least 2006. Individual members of menuPass are known to have acted in association with the Chinese Ministry of State Security's (MSS) Tianjin State Security Bureau and worked for the Huaying Haitai Science and Technology Development Company.[1][2]
menuPass has targeted healthcare, defense, aerospace, finance, maritime, biotechnology, energy, and government sectors globally, with an emphasis on Japanese organizations. In 2016 and 2017, the group is known to have targeted managed IT service providers (MSPs), manufacturing and mining companies, and a university.[3][4][5][6][7][1][2]
G0062: TA459
G1014: LuminousMoth
LuminousMoth is a Chinese-speaking cyber espionage group that has been active since at least October 2020. LuminousMoth has targeted high-profile organizations, including government entities, in Myanmar, the Philippines, Thailand, and other parts of Southeast Asia. Some security researchers have concluded there is a connection between LuminousMoth and Mustang Panda based on similar targeting and TTPs, as well as network infrastructure overlaps.[1][2]
C0047: RedDelta Modified PlugX Infection Chain Operations
RedDelta Modified PlugX Infection Chain Operations was executed by Mustang Panda from mid-2023 through the end of 2024 against multiple entities in East and Southeast Asia. RedDelta Modified PlugX Infection Chain Operations involved phishing to deliver malicious files or links to users prompting follow-on installer downloads to load PlugX on victim machines in a persistent state.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 3.3 | Current bundle | f9df34816b05… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Lastline PlugX Analysis
Vasilenko, R. (2013, December 17). An Analysis of PlugX Malware. Retrieved November 24, 2015.
Open source URL -
[2]
FireEye Clandestine Fox Part 2
Scott, M.. (2014, June 10). Clandestine Fox, Part Deux. Retrieved January 14, 2016.
Open source URL -
[3]
New DragonOK
Miller-Osborn, J., Grunzweig, J.. (2015, April). Unit 42 Identifies New DragonOK Backdoor Malware Deployed Against Japanese Targets. Retrieved November 4, 2015.
Open source URL -
[4]
Dell TG-3390
Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.
Open source URL -
[5]
CIRCL PlugX March 2013
Computer Incident Response Center Luxembourg. (2013, March 29). Analysis of a PlugX variant. Retrieved November 5, 2018.
Open source URL -
[6]
DestroyRAT
(Citation: CIRCL PlugX March 2013)
-
[7]
Kaba
(Citation: FireEye Clandestine Fox Part 2)
-
[8]
Korplug
(Citation: Lastline PlugX Analysis)(Citation: CIRCL PlugX March 2013)
-
[9]
Novetta-Axiom
Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.
Open source URL -
[10]
PlugX
(Citation: Lastline PlugX Analysis) (Citation: FireEye Clandestine Fox Part 2)(Citation: CIRCL PlugX March 2013)
-
[11]
Sogu
(Citation: Lastline PlugX Analysis)(Citation: FireEye Clandestine Fox Part 2)(Citation: CIRCL PlugX March 2013)
-
[12]
TVT
(Citation: Novetta-Axiom)
-
[13]
Thoper
(Citation: Novetta-Axiom)
-
[14]
mitre-attack S0013Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.