Researchers at Cisco Talos have uncovered a sophisticated cyberespionage campaign tied to Chinese-speaking advanced persistent threat (APT) actors, marking the latest chapter in Beijingโs expanding digital spy operations.
The operation, which has been active since 2022, is targeting telecommunications and manufacturing companies across Central and South Asia. At its core is a revamped version of PlugX, a notorious piece of remote access Trojan (RAT) first spotted back in 2008.ย
PlugX has been deployed in some of the most high-profile cyberattacks worldwide, including the 2015 breach of the U.S. Office of Personnel Management. Despite its age, PlugX remains one of the most effective tools in Chinaโs cyber arsenal, and researchers now believe some groups may even have access to its original source code.
Whatโs Happening?ย
In a blog post, Cisco Talos attributed the campaign with medium confidence to Naikon, an active Chinese-speaking threat actor that has been operating since 2010 and linked to the Peopleโs Liberation Army. The group primarily targeted government, military, and civil organizations across Southeast Asia.
According to Cisco Talos, the new PlugX variant bears a striking resemblance to two other Chinese espionage tools โ RainyDay and Turian โ suggesting that Naikon may be working closely with, or even overlapping with,ย BackdoorDiplomacy, another APT known for deploying the Turian backdoor.
All three malware families share key traits: abuse of legitimate applications for DLL sideloading, using identical encryption routines, and deploying advanced anti-analysis methods.
Why Telecom Is A Target
Telecom networks are prime espionage targets, offering access to sensitive data, strategic communications, and even entire populations. By infiltrating these systems, threat actors gain valuable intelligence and persistent access to critical infrastructure. Cisco Talos found one victim that remained compromised for over two years, underscoring the persistence of these campaigns.
How The Attack Works
The campaign often begins with a phishing email carrying a malicious email or document. Once opened, attackers exploit DLL sideloading โ tricking legitimate applications into loading hidden malware. From there, PlugX installs backdoors, logs keystrokes, and silently extracts sensitive data.
How To Stay Protected
Security experts recommend that organizations in high-risk sectors take immediate precautions:
- Keep Windows systems and applications updated to prevent DLL sideloading.
- Use detection tools that can detect unusual behavior, not just known malware signatures.
- Maintain strong password policies and enable multi-factor authentication (MFA).
- Regularly back up systems and critical data offline.
- Train employees to recognize phishing emails and avoid suspicious downloads.
The Bigger Pictureย
The discovery of this new PlugX variant underscores the persistence of Chinese-linked APT activity in Asia. By refining old tools like PlugX instead of abandoning them, Chinese hackers are blending proven methods with new capabilities to stay stealthy and effective.
As the campaign continues, cybersecurity experts warn that in the world of cyberespionage, the line between old and new threats is increasingly blurred โ making vigilance more critical than ever.
