ETDA ThaiCERT
Report
Search
Home > List all groups > PKPLUG

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: PKPLUG

NamesPKPLUG (Palo Alto)
CountryChina China
MotivationInformation theft and espionage
First seen2016
Description(Palo Alto) For three years, Unit 42 has tracked a set of cyber espionage attack campaigns across Asia, which used a mix of publicly available and custom malware. Unit 42 created the moniker “PKPLUG” for the threat actor group, or groups, behind these and other documented attacks referenced later in this report. We say group or groups as our current visibility doesn’t allow us to determine with high confidence if this is the work of one group, or more than one group which uses the same tools and has the same tasking. The name comes from the tactic of delivering PlugX malware inside ZIP archive files as part of a DLL side-loading package. The ZIP file format contains the ASCII magic-bytes “PK” in its header, hence PKPLUG.
ObservedSectors: Government, Healthcare.
Countries: China, Indonesia, Mongolia, Myanmar, Taiwan, Tibet, Vietnam.
Tools used9002 RAT, Farseer, HenBox, PlugX, Poison Ivy, Zupdax.
Information<https://unit42.paloaltonetworks.com/pkplug_chinese_cyber_espionage_group_attacking_asia/>
Playbook<https://pan-unit42.github.io/playbook_viewer/?pb=pkplug>

Last change to this card: 14 April 2020

Download this actor card in PDF or JSON format

Previous: PittyTiger, Pitty Panda
Next: Platinum

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key