{"id":127812,"date":"2025-09-29T22:16:56","date_gmt":"2025-09-29T16:46:56","guid":{"rendered":"https:\/\/www.techworm.net\/?p=127812"},"modified":"2025-09-29T22:16:56","modified_gmt":"2025-09-29T16:46:56","slug":"chinese-hackers-revive-plugx-in-telecom-cyberattacks","status":"publish","type":"post","link":"https:\/\/www.techworm.net\/2025\/09\/chinese-hackers-revive-plugx-in-telecom-cyberattacks.html","title":{"rendered":"Chinese Hackers Revive PlugX In Telecom Cyberattacks"},"content":{"rendered":"

Researchers at Cisco Talos have uncovered a sophisticated cyberespionage campaign tied to Chinese-speaking advanced persistent threat (APT) actors, marking the latest chapter in Beijing\u2019s expanding digital spy operations.<\/p>\n

The operation, which has been active since 2022, is targeting telecommunications and manufacturing companies across Central and South Asia. At its core is a revamped version of PlugX, a notorious piece of remote access Trojan (RAT) first spotted back in 2008.\u00a0<\/strong><\/p>\n

PlugX has been deployed in some of the most high-profile cyberattacks worldwide, including the 2015 breach of the U.S. Office of Personnel Management. Despite its age, PlugX remains one of the most effective tools in China\u2019s cyber arsenal, and researchers now believe some groups may even have access to its original source code.<\/p>\n

What\u2019s Happening?<\/strong>\u00a0<\/strong><\/p>\n

In a blog post, <\/a>Cisco Talos attributed the campaign with medium confidence to Naikon, an active Chinese-speaking threat actor that has been operating since 2010 and linked to the People\u2019s Liberation Army. The group primarily targeted government, military, and civil organizations across Southeast Asia.<\/p>\n

According to Cisco Talos, the new PlugX variant bears a striking resemblance to two other Chinese espionage tools \u2014 RainyDay and Turian \u2014 suggesting that Naikon may be working closely with, or even overlapping with,\u00a0BackdoorDiplomacy, another APT known for deploying the Turian backdoor.<\/p>\n

All three malware families share key traits: abuse of legitimate applications for DLL sideloading, using identical encryption routines, and deploying advanced anti-analysis methods.<\/p>\n

Why Telecom Is A Target<\/strong><\/p>\n

Telecom networks are prime espionage targets, offering access to sensitive data, strategic communications, and even entire populations. By infiltrating these systems, threat actors gain valuable intelligence and persistent access to critical infrastructure. Cisco Talos found one victim that remained compromised for over two years, underscoring the persistence of these campaigns.<\/p>\n

How The Attack Works<\/strong><\/p>\n

The campaign often begins with a phishing email carrying a malicious email or document. Once opened, attackers exploit DLL sideloading \u2014 tricking legitimate applications into loading hidden malware. From there, PlugX installs backdoors, logs keystrokes, and silently extracts sensitive data.<\/p>\n

How To Stay Protected <\/strong><\/p>\n

Security experts recommend that organizations in high-risk sectors take immediate precautions:<\/p>\n