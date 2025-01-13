Malware, Threat Intelligence, Phishing

Updated PlugX malware launched in new RedDelta attacks

Privacy concept: pixelated words Malware on digital background, 3d render
(Adobe Stock)

Chinese advanced persistent threat operation RedDelta has deployed attacks involving a new PlugX malware variant against Taiwan, Mongolia, Cambodia, Myanmar, and Vietnam from July 2023 to December 2024, The Hacker News reports.

Attacks by RedDelta — also known as Mustang Panda, Earth Preta, Camaro Dragon, Bronze President, and HoneyMyte — commence with spear-phishing emails using Mongolian flood protection, Taiwanese presidential candidate Terry Gou, and an Association of Southeast Asian Nations meeting as lures that contain malicious MSI, MSC, and LNK files to facilitate PlugX malware compromise, according to an analysis from Recorded Future's Insikt Group. Further analysis of the intrusions revealed communications between 10 admin servers and two command-and-control servers previously linked to RedDelta. "The group's Asia-focused targeting in 2023 and 2024 represents a return to the group's historical focus after targeting European organizations in 2022. RedDelta's targeting of Mongolia and Taiwan is consistent with the group's past targeting of groups seen as threats to the Chinese Communist Party's power," said researchers.

Related

Bogus LDAPNightmare PoC exploit enables infostealer deployment

Executing the bogus exploit — which is based on the legitimate PoC created by SafeBreach Labs but contains the UPX-packed poc.exe file — launches a PowerShell script in the targeted system's %Temp% folder that establishes a script-executing scheduled job to facilitate the eventual retrieval of the infostealing payload, according to a Trend Micro analysis.

CrowdStrike spoofed in recruitment phishing scam

Intrusions discovered earlier this week commenced with the delivery of a malicious email purporting to be from a CrowdStrike employment agent that includes a link for downloading an employee CRM app, which when clicked redirected to a CrowdStrike-spoofing website offering Windows and macOS versions of the app, according to CrowdStrike.

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

Account HarvestingCorruptionDNS SpoofingData MiningDeauthentication AttackDefacementDictionary AttackDumpster DivingInformation WarfareMorris Worm

You can skip this ad in 5 seconds