RedDelta Deploys PlugX Malware to Target Mongolia and Taiwan in Espionage Campaigns

Category	Details
Threat Actors	RedDelta (also known by other aliases like BASIN, Mustang Panda, and others).
Campaign Overview	• Targeted multiple countries, including Mongolia, Taiwan, Myanmar, Vietnam, Cambodia, and others. • Delivered a customized version of PlugX backdoor between July 2023 and December 2024. • Lure documents used for social engineering.
Target Regions (or Victims)	Mongolia, Taiwan, Myanmar, Vietnam, Cambodia, Malaysia, Japan, United States, Ethiopia, Brazil, Australia, India.
Methodology	• Used spear-phishing with lure documents (e.g., Taiwanese presidential candidate, Vietnamese National Holiday). • Infection chain involved LNK, MSI, and MSC files. • Exploited DLL side-loading and DLL search order hijacking.
Product Targeted	• PlugX backdoor
Malware Reference	PlugX backdoor – customized for the campaign
Tools Used	• Windows Shortcut (LNK) files • Windows Installer (MSI) • Microsoft Management Console (MSC) files • Cloudflare CDN used for C2 traffic masking
Vulnerabilities Exploited	• DLL search order hijacking
TTPs	• Spear-phishing using social engineering documents. • LNK, MSI, and MSC files as first-stage infection triggers. • DLL side-loading for malware deployment. • Cloudflare CDN for proxying C2 traffic.
Attribution	• Likely China-nexus with a focus on strategic priorities, particularly targeting Southeast Asian governments and organizations. • Group associated with Chinese espionage activities.
Recommendations	• Implement strong email security to filter spear-phishing attempts. • Use advanced endpoint detection and response (EDR) solutions. • Monitor network traffic for C2 communications disguised by services like CDNs.
Source	The Hackers News

Read full article: https://thehackernews.com/2025/01/reddelta-deploys-plugx-malware-to.html

The above summary has been generated by an AI language model