{"id":3129,"date":"2026-02-26T10:30:02","date_gmt":"2026-02-26T09:30:02","guid":{"rendered":"https:\/\/lab52.io\/blog\/?p=3129"},"modified":"2026-03-02T09:55:56","modified_gmt":"2026-03-02T08:55:56","slug":"plugx-meeting-invitation-via-msbuild-and-gdata","status":"publish","type":"post","link":"https:\/\/lab52.io\/blog\/plugx-meeting-invitation-via-msbuild-and-gdata\/","title":{"rendered":"PlugX Meeting Invitation via MSBuild and GDATA"},"content":{"rendered":"\n<p>In relation to the <a href=\"https:\/\/sect.iij.ad.jp\/blog\/2026\/02\/plugx-executed-via-staticplugin\/\">latest variant of the PlugX RAT executed by STATICPLUGIN analyzed by IIJ-SECT<\/a>, LAB52 aims to complement this information with additional observed deployment activity and encryption characteristics in samples analyzed by this team.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">PlugX<\/h1>\n\n\n\n<p>PlugX is a long-running Remote Access Trojan (RAT) that has been consistently linked to multiple China-aligned threat actors and espionage operations worldwide. Since its public identification around 2008, it has been attributed to groups such as Mustang Panda, APT41, APT10, and Deep Panda, among others. These actors have deployed PlugX in targeted campaigns affecting government institutions, diplomatic entities, defense organizations, technology companies, energy providers, and NGOs across Europe, Asia, and North America. Its sustained use over more than a decade reflects both its adaptability and its operational value within China-linked cyber-espionage ecosystems.<\/p>\n\n\n\n<p>From an operational standpoint, PlugX is typically delivered through spear-phishing emails carrying malicious attachments, weaponized Word or Excel documents with macros, executables disguised as legitimate software, or via supply chain compromise scenarios. A recurring characteristic of PlugX campaigns is the abuse of DLL side-loading, in which legitimate and often digitally signed applications are leveraged to load malicious DLLs, thereby reducing suspicion and bypassing certain security controls. This combination of social engineering, trusted software abuse, and modular payload design has enabled PlugX to remain a relevant and frequently observed tool in international cyber-espionage operations.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">Initial Deployment<\/h1>\n\n\n\n<p>In this case, during the deployment of PlugX, the G DATA antivirus executable (Avk.exe) is used to load the malicious DLL Avk.dll via DLL side-loading. In the case analysed by LAB52, the infection chain begins with a phishing email titled \u201cMeeting Invitation\u201d followed by a date. The content includes two links:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A URL redirecting to the <a href=\"https:\/\/www.stjornarradid.is\/\" data-type=\"link\" data-id=\"https:\/\/www.stjornarradid.is\/\">Ministry of Foreign Affairs of Iceland<\/a>.<\/li>\n\n\n\n<li>A URL allowing the download of a .zip file containing two files:\n<ul class=\"wp-block-list\">\n<li><strong>Invitation_Letter_No.02_2026.csproj<\/strong>\n<ul class=\"wp-block-list\">\n<li>Script used to download and execute artifacts.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Invitation_Letter_No.02_2026.exe<\/strong>\n<ul class=\"wp-block-list\">\n<li>MSBuild.exe, used as a LOLBIN to execute the script that downloads and runs the software (.csproj).<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"611\" height=\"98\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2026\/02\/image-20.png\" alt=\"\" class=\"wp-image-3134\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2026\/02\/image-20.png 611w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2026\/02\/image-20-300x48.png 300w\" sizes=\"(max-width: 611px) 100vw, 611px\" \/><\/figure><\/div>\n\n\n<p>During execution, the malware displays a decoy document.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"859\" height=\"1024\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2026\/02\/image-18-859x1024.png\" alt=\"\" class=\"wp-image-3131\" style=\"width:406px;height:auto\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2026\/02\/image-18-859x1024.png 859w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2026\/02\/image-18-252x300.png 252w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2026\/02\/image-18-768x915.png 768w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2026\/02\/image-18.png 987w\" sizes=\"(max-width: 859px) 100vw, 859px\" \/><\/figure><\/div>\n\n\n<p>The .csproj file contains three Base64-encoded URLs using the domain:<\/p>\n\n\n\n<p><code><mark style=\"background-color:#d2d2d2\" class=\"has-inline-color\">https[:]\/\/onedown[.]gesecole[.]net\/download<\/mark><\/code><\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"876\" height=\"756\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2026\/02\/image-19.png\" alt=\"\" class=\"wp-image-3133\" style=\"width:614px;height:auto\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2026\/02\/image-19.png 876w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2026\/02\/image-19-300x259.png 300w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2026\/02\/image-19-768x663.png 768w\" sizes=\"(max-width: 876px) 100vw, 876px\" \/><\/figure><\/div>\n\n\n<p>The downloaded files correspond to:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>AVK.exe<\/strong> \u2013 a legitimate G DATA Antivirus executable, which fails if executed directly because it requires AVK.dll. After download, it is renamed with a random filename.<\/li>\n\n\n\n<li><strong>Avk.dll<\/strong> \u2013 identified by VirusTotal as Korplug (a PlugX variant). It is renamed upon download so it can be loaded via DLL side-loading by AVK.exe.<\/li>\n\n\n\n<li><strong>AVKTray.dat<\/strong> \u2013 an encrypted file not found in VirusTotal, also renamed during download.<\/li>\n<\/ul>\n\n\n\n<p>During execution of the main file (Invitation_Letter_No.02_2026.exe), the following actions occur:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Execution of <strong>Invitation_Letter_No.02_2026.csproj<\/strong>, leading to the download of the mentioned files and subsequent execution of Avk.dll via DLL side-loading, enabling payload injection.<\/li>\n\n\n\n<li>Creation of files in <code><mark style=\"background-color:#dcdcdc\" class=\"has-inline-color\">%TEMP%\/[a-b0-9]{8}<\/mark><\/code> which are deleted after use. These files share the same random folder name and use the following extensions: <mark style=\"background-color:#dcdcdc\" class=\"has-inline-color\"><code>.cs<\/code>, <code>.cmdline<\/code>, <code>.pdb<\/code>, <code>.TMP<\/code>, <code>.dll<\/code>, <code>.out<\/code><\/mark>.<\/li>\n\n\n\n<li>Persistence via the Run registry key \u201cG DATA\u201d, executing Avk.exe as follows (numeric values may vary; examples shown): <code><mark style=\"background-color:#dcdcdc\" class=\"has-inline-color\">\"C:\\Users\\Public\\GDatas\\Avk.exe\" 865 322<\/mark><\/code><\/li>\n\n\n\n<li>Communications with:<br><code><mark style=\"background-color:#dcdcdc\" class=\"has-inline-color\">https[:]\/\/decoraat[.]net:443<\/mark><\/code><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">Obfuscation Capabilities<\/h1>\n\n\n\n<p>Through analysis of the infection procedure, the following encryption-related capabilities were identified:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Avk.dll obtains the name of the file to be loaded (AVKTray.dat) from an XOR-encoded string hardcoded in the .rdata section using key 0x7F.<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"765\" height=\"206\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2026\/02\/image-21.png\" alt=\"\" class=\"wp-image-3135\" style=\"width:509px;height:auto\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2026\/02\/image-21.png 765w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2026\/02\/image-21-300x81.png 300w\" sizes=\"(max-width: 765px) 100vw, 765px\" \/><\/figure><\/div>\n\n\n<p>It is possible that other loaders use the same procedure while varying the filename and corresponding value, but maintaining the same structure.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>In addition to key 0x7F, analysis of Avk.dll code revealed that key 0x98 could also be used in other scenarios, although it is not activated for these files.<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"886\" height=\"429\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2026\/02\/image-22.png\" alt=\"\" class=\"wp-image-3136\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2026\/02\/image-22.png 886w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2026\/02\/image-22-300x145.png 300w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2026\/02\/image-22-768x372.png 768w\" sizes=\"(max-width: 886px) 100vw, 886px\" \/><\/figure><\/div>\n\n\n<ul class=\"wp-block-list\">\n<li>Avk.dll decrypts AVKTray.dat using XOR with key 0x4F.<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"486\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2026\/02\/image-23-1024x486.png\" alt=\"\" class=\"wp-image-3137\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2026\/02\/image-23-1024x486.png 1024w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2026\/02\/image-23-300x142.png 300w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2026\/02\/image-23-768x365.png 768w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2026\/02\/image-23.png 1034w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure><\/div>\n\n\n<ul class=\"wp-block-list\">\n<li>The payload includes the decoy PDF within the overlay section. Embedding the decoy as part of the overlay is common in PlugX.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"187\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2026\/02\/image-24-1024x187.png\" alt=\"\" class=\"wp-image-3138\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2026\/02\/image-24-1024x187.png 1024w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2026\/02\/image-24-300x55.png 300w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2026\/02\/image-24-768x140.png 768w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2026\/02\/image-24.png 1034w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"342\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2026\/02\/image-25-1024x342.png\" alt=\"\" class=\"wp-image-3139\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2026\/02\/image-25-1024x342.png 1024w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2026\/02\/image-25-300x100.png 300w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2026\/02\/image-25-768x256.png 768w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2026\/02\/image-25.png 1034w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>The configuration can also be observed in the decrypted payload. In this case, the RC4 key is as follows:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Offset<\/th><th>Description<\/th><th>Value<\/th><\/tr><\/thead><tbody><tr><td>0x00<\/td><td>RC4 key length<\/td><td>0Bh (11 bytes)<\/td><\/tr><tr><td>0x04<\/td><td>RC4 key (12 bytes)<\/td><td>fzsbnWTgLLqp<\/td><\/tr><tr><td>0x16<\/td><td>Start of encrypted data<\/td><td><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>When decrypted using the key according to its length (fzsbnWTgLLq), hexadecimal strings are obtained and interpreted similarly to what was explained in IIJ-SECT, using the same algorithm to obtain the C2, which in this case is <strong>decoorat[.]net<\/strong>. The configuration also indicates the use of HTTPS over port 443 (BB01).<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"886\" height=\"163\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2026\/02\/image-26.png\" alt=\"\" class=\"wp-image-3140\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2026\/02\/image-26.png 886w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2026\/02\/image-26-300x55.png 300w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2026\/02\/image-26-768x141.png 768w\" sizes=\"(max-width: 886px) 100vw, 886px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>API Hashing<\/strong><\/h2>\n\n\n\n<p>Both Avk.dll and the injected payload use API hashing to obfuscate module and function addresses invoked during execution.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Avk.dll uses DJB2-based API hashing.<\/li>\n\n\n\n<li>The injected payload uses API hashing based on ROL-19 plus cumulative character summation.<\/li>\n<\/ul>\n\n\n\n<p>The list of hashes used by the attackers has been provided. Notably, the list for Avk.dll enables identification of these files in memory and facilitated the discovery of additional hashes. However, the hash list used by the payload would only be observable in memory in this case.<\/p>\n\n\n\n<p>It cannot be ruled out that unrelated malware samples may also use the same API hashing algorithm.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">Meeting Invitation from APT Groups<\/h1>\n\n\n\n<p>There are precedents of advanced persistent threat (APT) campaigns using themed invitations (events, receptions, conferences) as spear-phishing lures to distribute malware or sophisticated loaders and compromise strategic targets.<\/p>\n\n\n\n<p>For example, <strong>UNC6384<\/strong> (with tactical and infrastructure overlaps with Mustang Panda) <a href=\"https:\/\/arcticwolf.com\/resources\/blog\/unc6384-weaponizes-zdi-can-25373-vulnerability-to-deploy-plugx\/\">exploited vulnerability ZDI-CAN-25373 to deploy PlugX<\/a>, using a supposed European Commission meeting agenda as an infection lure.<\/p>\n\n\n\n<p><strong>APT29 <\/strong>(also known as Cozy Bear \/ Midnight Blizzard, linked to Russia) <a href=\"https:\/\/www.zscaler.com\/blogs\/security-research\/european-diplomats-targeted-apt29-cozy-bear-wineloader\">sent emails containing fake invitations to dinners or diplomatic events<\/a> that directed victims to malicious links or documents deploying loaders such as ROOTSAW, WINELOADER, or GRAPELOADER against political parties and government entities in Europe. These campaigns leveraged the trust associated with formal invitations to deceive victims and deploy persistent malware.<\/p>\n\n\n\n<p>A campaign documented by FireEye showed that <strong>APT34<\/strong> used <a href=\"https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/hard-pass-declining-apt34-invite-to-join-their-professional-network\/\">spoofed LinkedIn invitations<\/a> to entice recipients into opening malicious documents that installed backdoors such as TONEDEAF and credential-stealing tools.<\/p>\n\n\n\n<p>There are also historical reports of groups such as <strong>Lotus Blossom<\/strong> using emails offering <a href=\"https:\/\/unit42.paloaltonetworks.com\/unit42-psa-conference-invite-used-lure-operation-lotus-blossom-actors\/\">invitations to cybersecurity conferences<\/a> to deliver trojans such as Emissary, although this corresponds to an earlier phase of APT activity.<\/p>\n\n\n\n<p>These campaigns represent just one example of how threat actors leverage social engineering techniques based on calendar events or invitations, using seemingly legitimate contexts to lower victims\u2019 defenses and encourage them to open files or follow links that ultimately trigger sophisticated infection chains.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">Conclusions<\/h1>\n\n\n\n<p>The analysis of this campaign reinforces how PlugX continues to evolve while maintaining many of its historically consistent tradecraft elements. In this case, the use of legitimate G DATA antivirus components \u2014 particularly a freely available executable \u2014 highlights the actors\u2019 continued reliance on DLL side-loading to blend malicious execution with trusted software. Avk.dll functions as a relatively simple yet effective loader, structured around a minimal set of core routines and a localized junk function to hinder static analysis. Its responsibility is clear: retrieve and decrypt the payload stored in AVKTray.dat, whose filename is embedded within the DLL in XOR-encoded form. Although two potential XOR keys are present in the code, only one is actively used in this sample. This detail opens an interesting analytical avenue, as the structured method of storing encoded filenames inside DLLs could provide valuable leads for identifying related activity or future variants.<\/p>\n\n\n\n<p>From a defensive perspective, understanding this filename obfuscation approach may support the development of preventive detection rules, particularly if patterns in naming conventions or encoding logic can be generalized. Further comparative analysis across samples could determine whether a reusable script or shared development methodology underpins these loaders.<\/p>\n\n\n\n<p>Operationally, the loader triggers a context change event to initiate payload execution within the same process, maintaining stealth and reducing behavioral anomalies. Its consistent use of DJB2-based API hashing ensures that all function calls are resolved indirectly, complicating static detection efforts. Detection rules have already been defined based on this behavior, and initial results suggest the possibility that this sample represents one of the most recent operational instances observed. Additional analysis of newly identified artifacts will be necessary to confirm this hypothesis.<\/p>\n\n\n\n<p>Finally, the injected DLL \u2014 decrypted from AVKTray.dat \u2014 embeds a decoy PDF within its overlay section, a technique that aligns with long-standing operational patterns associated with PlugX. Incorporating the decoy directly into the overlay allows the malware to present a convincing lure to the victim while keeping the malicious logic tightly coupled within the same artifact. This dual-purpose design reflects a mature development approach in which social engineering and technical execution are carefully integrated. Given the recurring use of PDF decoys in recent activity, this choice appears deliberate and consistent with the broader objective of maintaining credibility while minimizing suspicion during the early stages of compromise.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">Intelligence Availability Notice<\/h1>\n\n\n\n<p>This article presents selected insights derived from our broader threat intelligence operations and coverage. Additional details related to this campaign, as well as other investigations and ongoing intelligence activities, are enriched and available through our&nbsp;<strong><a href=\"https:\/\/s2grupo.es\/soluciones\/threat-intelligence\/\">private intelligence feed.<\/a><\/strong><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">Indicators of Compromise (IOC)<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">Files<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td><strong>Name<\/strong><\/td><td><strong>Hash SHA256<\/strong><\/td><td><strong>Size (kb)<\/strong><\/td><\/tr><tr><td>AVKTray.dat<strong><\/strong><\/td><td>e7ed0cd4115f3ff35c38d36cc50c6a13eba2d845554439a36108789cd1e05b17<\/td><td>673,913<\/td><\/tr><tr><td>Avk.dll<\/td><td>46314092c8d00ab93cbbdc824b9fc39dec9303169163b9625bae3b1717d70ebc<\/td><td>5,120<\/td><\/tr><tr><td>AVK.exe<\/td><td>8421e7995778faf1f2a902fb2c51d85ae39481f443b7b3186068d5c33c472d99<\/td><td>943,696<\/td><\/tr><tr><td>Invitation_Letter_No.02_2026.zip<\/td><td>29cd44aa2a51a200d82cca578d97dc13241bc906ea6a33b132c6ca567dc8f3ad<\/td><td>113,212<\/td><\/tr><tr><td>Invitation_Letter_No.02_2026.csproj<\/td><td>de8ddc2451fb1305d76ab20661725d11c77625aeeaa1447faf3fbf56706c87f1<\/td><td>3,249<\/td><\/tr><tr><td>Invitation_Letter_No.02_2026.exe<\/td><td>5f9af68db10b029453264cfc9b8eee4265549a2855bb79668ccfc571fb11f5fc<\/td><td>255,920<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td><strong>Name<\/strong><\/td><td><strong>Hash sha256<\/strong><\/td><td><strong>Size (KB)<\/strong><\/td><td><strong>Description<\/strong><\/td><\/tr><tr><td>AVKTray.dat decrypted<\/td><td>d293ded5a63679b81556d2c622c78be6253f500b6751d4eeb271e6500a23b21e<\/td><td>658<\/td><td>AVKTray.dat file decrypted with XOR key 0x4F<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td><strong>Name<\/strong><\/td><td><strong>Hash sha256<\/strong><\/td><td><strong>Size (KB)<\/strong><\/td><td><strong>Description<\/strong><\/td><\/tr><tr><td>Pdf (decoy)<\/td><td>6df8649bf4e233ee86a896ee8e5a3b3179c168ef927ac9283b945186f8629ee7<\/td><td>57<\/td><td>Pdf inside the overlay of the dll injected. This is a decoy that will be shown to the user.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Communications<\/strong><\/h2>\n\n\n\n<p>https[:]\/\/onedow[.]gesecole[.]net\/download<\/p>\n\n\n\n<p>https[:]\/\/decoraat[.]net:443<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Persistence<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Files saved in:<\/li>\n<\/ul>\n\n\n\n<p>C:\\Users\\Public\\GDatas<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Modification of key:<\/li>\n<\/ul>\n\n\n\n<p>HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>API Hashing<\/strong><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>AVK.dll<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><em>Modules<\/em><\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td><strong>Hash <\/strong><\/td><td><strong>Module<\/strong><\/td><\/tr><tr><td>0x7040EE75<\/td><td>Kernel32.dll<\/td><\/tr><tr><td>0x22D3B5ED<\/td><td>ntdll.dll<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li><em>APIs<\/em><\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td><strong>Hash <\/strong><\/td><td><strong>Kernel32.dll<\/strong><\/td><\/tr><tr><td>0x13B8A163<\/td><td>GetModuleFileNameW<\/td><\/tr><tr><td>0x382C0F97<\/td><td>VirtualAlloc<\/td><\/tr><tr><td>0x668FCF2E<\/td><td>VirtualFree<\/td><\/tr><tr><td>0x5D01F1B2<\/td><td>CreateEventW<\/td><\/tr><tr><td>0x877EBBD3<\/td><td>SetEvent<\/td><\/tr><tr><td>0x0E19E5FE<\/td><td>Sleep<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td><strong>Hash<\/strong><\/td><td><strong>ntdll.dll<\/strong><\/td><\/tr><tr><td>0x15A5ECDB<\/td><td>NtCreateFile<\/td><\/tr><tr><td>0x4725F863<\/td><td>NtQueryInformationFile<\/td><\/tr><tr><td>0x8B8E133D<\/td><td>NtClose<\/td><\/tr><tr><td>0x2E979AE3<\/td><td>ReadFile<\/td><\/tr><tr><td>0x1703AB2F<\/td><td>NtTerminateProcess<\/td><\/tr><tr><td>0x082962C8<\/td><td>NtProtectVirtualMemory<\/td><\/tr><tr><td>0x0E4DA1C11<\/td><td>RegisterWait<\/td><\/tr><tr><td>0x0C0D8989A<\/td><td>RtlDeregisterWait<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Inyected Payload from AVKTray.dat<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><em>Modules<\/em><\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td><strong>Hash<\/strong><\/td><td><strong>Module<\/strong><\/td><\/tr><tr><td>0x794D2C1B<\/td><td><strong>ntdll.dll<\/strong><\/td><\/tr><tr><td>0x7C0A2A4A<\/td><td><strong>kernel32.dll<\/strong><\/td><\/tr><tr><td>0x534AE0B8<\/td><td><strong>kernelbase.dll<\/strong><\/td><\/tr><tr><td>0x6A47F6BB<\/td><td><strong>winhttp.dll<\/strong><\/td><\/tr><tr><td>0x3CF5E5AD<\/td><td><strong>ws2_32.dll<\/strong><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li><em>APIs<\/em><\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td><strong>Hash <\/strong><\/td><td><strong>ntdll.dll<\/strong><\/td><\/tr><tr><td>0xEC0E4D4E<\/td><td>NtAllocateVirtualMemory<\/td><\/tr><tr><td>0x0306F0EC<\/td><td>NtProtectVirtualMemory<\/td><\/tr><tr><td>0x91AF6E44<\/td><td>NtFreeVirtualMemory<\/td><\/tr><tr><td>0x794D2C1B<\/td><td>NtQueryInformationProcess<\/td><\/tr><tr><td>0x534AE0B8<\/td><td>NtSetInformationThread<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td><strong>Hash<\/strong><\/td><td><strong>Kernel32.dll<\/strong><\/td><\/tr><tr><td>0x7C0A2A4A<\/td><td>LoadLibraryA<\/td><\/tr><tr><td>0x794F23CA<\/td><td>GetProcAddress<\/td><\/tr><tr><td>0x57B0B568<\/td><td>VirtualAlloc<\/td><\/tr><tr><td>0x5C28F480<\/td><td>VirtualProtect<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td><strong>Hash<\/strong><\/td><td><strong>winhttp.dll<\/strong><\/td><\/tr><tr><td>0x534AE0B8<\/td><td>WinHttpOpen<\/td><\/tr><tr><td>0x0306F0EC<\/td><td>WinHttpConnect<\/td><\/tr><tr><td>0x0D56A5E9<\/td><td>WinHttpOpenRequest<\/td><\/tr><tr><td>0xE8560C81<\/td><td>WinHttpSendRequest<\/td><\/tr><tr><td>0xF0B8EEC9<\/td><td>WinHttpReceiveResponse<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td><strong>Hash <\/strong><\/td><td><strong>ws2_32.dll<\/strong><\/td><\/tr><tr><td>0x3CF5E5AD<\/td><td>socket<\/td><\/tr><tr><td>0x793C2E6A<\/td><td>connect<\/td><\/tr><tr><td>0x1B7FBEC4<\/td><td>send<\/td><\/tr><tr><td>0x47F8F21D<\/td><td>recv<\/td><\/tr><\/tbody><\/table><\/figure>\n","protected":false},"excerpt":{"rendered":"<p>In relation to the latest variant of the PlugX RAT executed by STATICPLUGIN analyzed by IIJ-SECT, LAB52 aims to complement this information with additional observed deployment activity and encryption characteristics in samples analyzed by this team. PlugX PlugX is a long-running Remote Access Trojan (RAT) that has been consistently linked to multiple China-aligned threat actors [&hellip;]<\/p>\n","protected":false},"author":31,"featured_media":3144,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[1],"tags":[],"class_list":{"0":"post-3129","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-uncategorised","8":"entry"},"featured_image_src":"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2026\/02\/meeting-600x400.png","featured_image_src_square":"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2026\/02\/meeting-600x600.png","author_info":{"display_name":"10ba","author_link":"https:\/\/lab52.io\/blog\/author\/10ba\/"},"_links":{"self":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts\/3129"}],"collection":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/users\/31"}],"replies":[{"embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/comments?post=3129"}],"version-history":[{"count":7,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts\/3129\/revisions"}],"predecessor-version":[{"id":3150,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts\/3129\/revisions\/3150"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/media\/3144"}],"wp:attachment":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/media?parent=3129"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/categories?post=3129"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/tags?post=3129"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}