Names | PKPLUG (Palo Alto) | |
Country | ![]() | |
Motivation | Information theft and espionage | |
First seen | 2016 | |
Description | (Palo Alto) For three years, Unit 42 has tracked a set of cyber espionage attack campaigns across Asia, which used a mix of publicly available and custom malware. Unit 42 created the moniker “PKPLUG” for the threat actor group, or groups, behind these and other documented attacks referenced later in this report. We say group or groups as our current visibility doesn’t allow us to determine with high confidence if this is the work of one group, or more than one group which uses the same tools and has the same tasking. The name comes from the tactic of delivering PlugX malware inside ZIP archive files as part of a DLL side-loading package. The ZIP file format contains the ASCII magic-bytes “PK” in its header, hence PKPLUG. | |
Observed | Sectors: Government, Healthcare. Countries: China, Indonesia, Mongolia, Myanmar, Taiwan, Tibet, Vietnam. | |
Tools used | 9002 RAT, Farseer, HenBox, PlugX, Poison Ivy, Zupdax. | |
Information | <https://unit42.paloaltonetworks.com/pkplug_chinese_cyber_espionage_group_attacking_asia/> | |
Playbook | <https://pan-unit42.github.io/playbook_viewer/?pb=pkplug> |
Last change to this card: 14 April 2020
Download this actor card in PDF or JSON format
Previous: PittyTiger, Pitty Panda
Next: Platinum
Thailand Computer Emergency Response Team (ThaiCERT) Follow us on![]() ![]() |
Report incidents |
|
![]() |
+66 (0)2-123-1234 | |
![]() |
report@thaicert.or.th | |
![]() |
Download PGP key |