The new PlugX variant notably diverges from the standard PlugX configuration format, instead adopting the structure of RainyDay, a backdoor previously associated with the China-linked group known as Lotus Panda
Cybersecurity experts are tracking a renewed and highly sophisticated campaign targeting the telecommunications and manufacturing sectors across Central and South Asia, involving a new variant of the widely known PlugX malware.
The attacks, which use technical methods strongly suggesting a link to multiple China-aligned threat actors, are deploying a hybrid version of PlugX that combines features of two distinct backdoors: RainyDay and Turian.
Cisco Talos researchers noted that the new malware variant is particularly concerning due to its advanced methods for evading detection, including its unique payload encryption and decryption algorithms, which overlap with previous, advanced campaigns.
The analysis highlights significant technical overlaps that suggest a high probability that multiple Chinese state-aligned hacking groups are either working together or procuring their tools from a common developer.
The new PlugX variant notably diverges from the standard PlugX configuration format, instead adopting the structure of RainyDay, a backdoor previously associated with the China-linked group known as Lotus Panda (also called Naikon APT).
Meanwhile, the variant incorporates features of Turian, a backdoor linked to a separate Chinese-speaking group, BackdoorDiplomacy.
These technical similarities, combined with victimology patterns—particularly the focus on telecom companies—have led researchers to suggest a possible medium-confidence link between the two clusters. In one instance, Naikon was observed targeting a telecom firm in Kazakhstan, a country bordering Uzbekistan, which has previously been a focus of BackdoorDiplomacy.
The attack chain for this campaign typically involves abusing a legitimate executable to perform DLL side-loading, which is then used to decrypt and launch the PlugX, RainyDay, or Turian payloads directly into memory.
The disclosure of the PlugX campaign comes as another report, published by Palo Alto Networks Unit 42, sheds light on the internal workings of the Bookworm malware, a modular remote access trojan (RAT) used extensively by the prominent China-aligned threat group Mustang Panda (also known as Stately Taurus).
Bookworm has been active since 2015 and grants attackers extensive control over compromised systems, allowing them to execute arbitrary commands, move files, and exfiltrate data. Unit 42 noted that the RAT’s unique modular architecture allows its core functionality to be expanded by loading additional modules directly from its command-and-control (C2) server.
Like the PlugX variant, Bookworm relies on DLL side-loading for execution. Newer versions, however, have introduced the sophisticated technique of packaging shellcode as universally unique identifier (UUID) strings, which are then decoded and executed—a technique that makes static analysis far more challenging for security teams.
Both reports underscore a long-term commitment by Chinese state-aligned actors to develop and adapt modular, highly evasive malware for sustained espionage and data theft campaigns across Asia.