Still at risk
Despite the creators abandoning PlugX malware years ago, cybersecurity analysts Sekoia have warned that millions of devices are still connected to it. The malware’s command & control (C2) server IP address was obtained by Sekoia, and over a six-month period, they observed 2.5 million connection requests from infected endpoints located in 170 countries. Interestingly, just 15 countries accounted for over 80% of the infections, with Nigeria, India, China, Iran, Indonesia, the UK, Iraq, and the United States leading the pack.
The researchers pointed out that the exact number of infected endpoints may not be entirely accurate due to various factors. The absence of unique identifiers in the malware’s C2 can skew the results, as multiple compromised workstations can appear to originate from the same IP address. Additionally, devices using dynamic IP systems can be mistakenly counted as multiple entities, and connections through VPN services can further complicate country-specific statistics.
Initially discovered in 2008 in cyber-espionage campaigns linked to Chinese state-sponsored actors, PlugX specifically targeted organizations in government, defense, and technology sectors across Asia. Its capabilities included command execution, file manipulation, keylogging, and system information access. As the years passed, PlugX evolved to spread autonomously through USB drives, rendering containment increasingly challenging. The malware’s target scope expanded to include Western organizations after the source code leaked in 2015. Subsequently, PlugX transformed into a commonly used malware by various threat actors, indicating a shift from state-sponsored to financially motivated groups and likely leading to its original developers abandoning the project.
Source: BleepingComputer
