PlugX DLL sideloading campaign targeting Central and South Asian telecom and manufacturing sectors
Campaign
Summary
Hide ▲
Show ▼
PlugX is being distributed in an ongoing campaign that is targeting telecommunications and manufacturing sectors across Central and South Asian countries, raising the risk of repeated intrusion attempts and post-compromise access. The operation uses DLL sideloading and overlaps with tradecraft seen in RainyDay and Turian backdoors. Analysts say the similarities suggest a medium-confidence link to a Chinese-speaking actor. The campaign matters because it combines a broad regional target set with stealthy payload loading that can help evade detection.
Related Happenings
Mustang Panda Asia-Pacific and Japan CDN impersonation espionage campaign
Campaign
First: 14.05.2026 18:00
Last: 14.05.2026 18:00
Sources 1
About this happening:
A **Mustang Panda** espionage campaign used **CDN impersonation** and **DLL sideloading** to target **Asia-Pacific and Japan** networks, extending from **late September 2025 throu...
Mustang Panda Asia-Pacific and Japan CDN impersonation espionage campaign
CampaignAbout this happening: A **Mustang Panda** espionage campaign used **CDN impersonation** and **DLL sideloading** to target **Asia-Pacific and Japan** networks, extending from **late September 2025 throu...
Mustang Panda spear-phishing campaign targeting Indian banks and US-Korea policy circles
Campaign
First: 21.04.2026 15:00
Last: 21.04.2026 15:00
Sources 1
About this happening:
**Mustang Panda** launched a newly identified **spear-phishing campaign** that is aimed largely at **financial organizations in India** and also reaches **US-Korea public policy c...
Mustang Panda spear-phishing campaign targeting Indian banks and US-Korea policy circles
CampaignAbout this happening: **Mustang Panda** launched a newly identified **spear-phishing campaign** that is aimed largely at **financial organizations in India** and also reaches **US-Korea public policy c...
LotusLite backdoor delivered via DLL sideloading
Malware Activity
First: 21.04.2026 15:00
Last: 21.04.2026 15:00
Sources 1
About this happening:
The **LotusLite** backdoor is being delivered through **malicious files** and **DLL sideloading**, creating a remote-access malware activity that supports **espionage**. The opera...
LotusLite backdoor delivered via DLL sideloading
Malware ActivityAbout this happening: The **LotusLite** backdoor is being delivered through **malicious files** and **DLL sideloading**, creating a remote-access malware activity that supports **espionage**. The opera...
Dohdoor backdoor activity on Windows endpoints
Malware Activity
First: 26.02.2026 17:17
Last: 26.02.2026 17:17
Sources 1
About this happening:
A new **Dohdoor** backdoor is being used to provide **DNS-over-HTTPS (DoH)** C2 and **reflective payload execution** on **Windows** endpoints, increasing stealth and post-compromi...
Dohdoor backdoor activity on Windows endpoints
Malware ActivityAbout this happening: A new **Dohdoor** backdoor is being used to provide **DNS-over-HTTPS (DoH)** C2 and **reflective payload execution** on **Windows** endpoints, increasing stealth and post-compromi...
DKnife gateway-monitoring malware framework
Malware Activity
First: 06.02.2026 19:00
Last: 06.02.2026 19:00
Sources 1
About this happening:
The discovery of **DKnife** exposes a **long-running malware framework** that has remained active since at least **2019**, raising the risk of **gateway-level traffic interception...
DKnife gateway-monitoring malware framework
Malware ActivityAbout this happening: The discovery of **DKnife** exposes a **long-running malware framework** that has remained active since at least **2019**, raising the risk of **gateway-level traffic interception...
Timeline
-
27.09.2025 15:06 2 articles · 8mo ago
Ongoing PlugX campaign targets Central and South Asian telecom and manufacturing sectors
Initial DisclosureAnalysts reported an ongoing PlugX campaign against telecommunications and manufacturing sectors in Central and South Asia, using a legitimate Mobile Popup Application executable to sideload a malicious DLL that decrypts and launches PlugX, RainyDay, and Turian payloads in memory. The PlugX variant's configuration diverges from the usual format and instead matches RainyDay structure, with overlapping DLL side-loading, XOR-RC4-RtlDecompressBuffer encryption and decryption, RC4 key reuse, and an embedded keylogger plugin, supporting a medium-confidence link to a Chinese-speaking actor.
Show sources
- China-Linked PlugX and Bookworm Malware Attacks Target Asian Telecom and ASEAN Networks — thehackernews.com — 27.09.2025 15:06
- China-Linked PlugX and Bookworm Malware Attacks Target Asian Telecom and ASEAN Networks — thehackernews.com — 27.09.2025 15:06