Investigating the PlugX Trojan Disguised as a Legitimate Windows Debugger Tool<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/23\/b\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows.html\"><br \/>\n<meta property=\"og:title\" content=\"Investigating the PlugX Trojan Disguised as a Legitimate Windows Debugger Tool\"><br \/>\n<meta property=\"og:description\" content=\"Trend Micro\u2019s Managed Extended Detection and Response (MxDR) team discovered that a file called x32dbg.exe was used to sideload a malicious DLL we identified as a variant of PlugX. \"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/23\/PlugX-WindowsDebugger641.png\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"Investigating the PlugX Trojan Disguised as a Legitimate Windows Debugger Tool\"><br \/>\n<meta name=\"twitter:description\" content=\"Trend Micro\u2019s Managed Extended Detection and Response (MxDR) team discovered that a file called x32dbg.exe was used to sideload a malicious DLL we identified as a variant of PlugX. \"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/23\/PlugX-WindowsDebugger641.png\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"51.351703855252\">  <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a>  <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"1665071006\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"8.7890625\">\n<div class=\"article-details\" role=\"heading\" readability=\"37.109375\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">Malware<\/p>\n<p class=\"article-details__description\">Trend Micro\u2019s Managed Extended Detection and Response (MxDR) team discovered that a file called x32dbg.exe was used to sideload a malicious DLL we identified as a variant of PlugX. <\/p>\n<p class=\"article-details__author-by\">By: Buddy Tancio, Abraham Camba, Catherine Loveria <time class=\"article-details__date\">February 24, 2023<\/time> <span>Read time: <\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-md-8 col-md-push-2\"> <\/p>\n<div class=\"richText\" readability=\"37.595258255715\">\n<div readability=\"23.497036409822\">\n<p>Trend Micro\u2019s Managed Extended Detection and Response (MxDR) team discovered that a file called <a href=\"https:\/\/x64dbg.com\/\">x32dbg.exe<\/a> was used (via the DLL Search Order Hijacking or <a href=\"https:\/\/attack.mitre.org\/techniques\/T1574\/001\/\">T1574.001<\/a> technique) to sideload a malicious DLL we identified as a variant of PlugX (Trojan.Win32.KORPLUG.AJ.enc). This file is a legitimate open-source debugger tool for Windows that is generally used to examine kernel-mode and user-mode code, crash dumps, or CPU registers. Meanwhile, <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/a\/xdr-investigation-uncovers-plugx-unique-technique-in-apt-attack.html\">PlugX is a well-known remote access trojan<\/a> (RAT) that is used to gain remote access to and control over compromised machines. It allows an attacker to obtain unauthorized access to a system, steal sensitive data, and use the compromised machine for malicious purposes. The MxDR team employed a number of advanced security technologies and solutions to gain a comprehensive understanding of the attack, which will be revealed in this report.<\/p>\n<p>Being a legitimate application, <a href=\"https:\/\/x64dbg.com\/\">x32dbg.exe<\/a>\u2019s valid digital signature can confuse some security tools, enabling threat actors to fly under the radar, maintain persistence, escalate privileges, and bypass file execution restrictions.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"80926a\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool\/PlugX-WindowsDebugger1.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool\/PlugX-WindowsDebugger1.png\" alt=\"Figure 1. A digitally signed x32dbg.exe (ec5cf913773459da0fd30bb282fb0144b85717aa6ce660e81a0bad24a2f23e15) \"> <\/a><figcaption>Figure 1. A digitally signed x32dbg.exe (ec5cf913773459da0fd30bb282fb0144b85717aa6ce660e81a0bad24a2f23e15) <\/figcaption><\/figure>\n<\/p><\/div>\n<div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<p>The team’s attention was first drawn to the command line execution of D:\\RECYCLER.BIN\\files\\x32dbg.exe which was flagged by a VisionOne Workbench alert. Further investigation revealed that this path led to a hidden folder on the USB storage device, which was found to contain a number of threat components.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"686203\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool\/PlugX-WindowsDebugger2.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool\/PlugX-WindowsDebugger2.png\" alt=\"Figure 2. Workbench model triggered by the execution of x32dbg.exe\"> <\/a><figcaption>Figure 2. Workbench model triggered by the execution of x32dbg.exe<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<p>We uncovered a clear sequence of events that began with a suspicious command line execution launched via cmd.exe. The command line executed the file (ec5cf913773459da0fd30bb282fb0144b85717aa6ce660e81a0bad24a2f23e15 ) located at D:\\RECYCLER.BIN\\files\\x32dbg.exe. The file was signed by \u201dOpenSource Developer, Duncan Ogilvie\u201d issued by Certum Code Signing. A visual representation of these events is displayed in Figure 3.<\/p>\n<table border=\"1\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody readability=\"2.5\">\n<tr readability=\"5\">\n<td width=\"630\" valign=\"top\"><span class=\"blockquote\" readability=\"3.5\"><i readability=\"7\">Command Line: “C:\\Windows\\System32\\cmd.exe” \/q \/c “\\ \\RECYCLER.BIN\\files\\x32dbg.exe”<\/p>\n<p>File Path: “D:\\ \\ \\RECYCLER.BIN\\files\\x32dbg.exe”<\/p>\n<p>SHA256: ec5cf913773459da0fd30bb282fb0144b85717aa6ce660e81a0bad24a2f23e15<\/p>\n<p>Signer: Open-Source Developer, Duncan Ogilvie<\/p>\n<p><\/i><\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"fc48d7\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool\/PlugX-WindowsDebugger3.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool\/PlugX-WindowsDebugger3.png\" alt=\"Figure 3. Vision One shows how cmd.exe calls x32dbg.exe from the external\/non-system drive\"> <\/a><figcaption>Figure 3. Vision One shows how cmd.exe calls x32dbg.exe from the external\/non-system drive<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"35.5\">\n<div readability=\"16\">\n<p>After executing D:\\RECYCLER.BIN\\files\\x32dbg.exe, all of the threat components are copied to the directory C:\\ProgramData\\UsersDate\\Windows_NT\\Windows\\User\\Desktop.<\/p>\n<p>Subsequently, the file C:\\ProgramData\\UsersDate\\Windows_NT\\Windows\\User\\Desktop\\x32dbg.exe, a duplicate of the original file, was invoked. The following command line was used to invoke the dropped file:<\/p>\n<table border=\"1\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody readability=\"1.5\">\n<tr readability=\"4.5\">\n<td width=\"630\" valign=\"top\" readability=\"6\">\n<p><i><span class=\"blockquote\">Command Line: “C:\\Windows\\System32\\cmd.exe” \/q \/c”<br \/>C:\\ProgramData\\UsersDate\\Windows_NT\\Windows\\User\\Desktop\/\/x32dbg.exe\u201d<\/span><\/i><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"b412c3\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool\/PlugX-WindowsDebugger4.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool\/PlugX-WindowsDebugger4.png\" alt=\"Figure 4. Files created in C:\\ProgramData\\UsersDate\\Windows_NT\\Windows\\User\\Desktop\"> <\/a><figcaption>Figure 4. Files created in C:\\ProgramData\\UsersDate\\Windows_NT\\Windows\\User\\Desktop<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"7c0542\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool\/PlugX-WindowsDebugger5.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool\/PlugX-WindowsDebugger5.png\" alt=\"Figure 5. Files created \u201cC:\\Users\\Public\\Public Mediae\u201d\"> <\/a><figcaption>Figure 5. Files created \u201cC:\\Users\\Public\\Public Mediae\u201d<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"95df8f\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool\/PlugX-WindowsDebugger5.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool\/PlugX-WindowsDebugger6.png\" alt=\"Figure 6. Vision Ones shows how x32dbg.exe copies itself to various directories and renames itself as Mediae.exe\"> <\/a><figcaption>Figure 6. Vision Ones shows how x32dbg.exe copies itself to various directories and renames itself as Mediae.exe<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>C:\\Users\\Public\\Public Mediae\\Mediae.exe followed the same procedure, creating a new directory at C:\\Users<username>\\Users\\ and copying the identical files as shown in Figure 7.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"b2f17f\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool\/PlugX-WindowsDebugger7.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool\/PlugX-WindowsDebugger7.png\" alt=\"Figure 7. The same set of files were created in C:\\Users\\<username>\\Users\\”> <\/a><figcaption>Figure 7. The same set of files were created in C:\\Users\\<username>\\Users\\<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"37.5\">\n<div readability=\"20\">\n<p>As a result, a full set of the same files were present in three different directories. This indicated a clear attempt to establish persistence and evade detection by placing copies of the malicious files in multiple locations in the compromised system, specifically:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">C:\\ProgramData\\UsersDate\\Windows_NT\\Windows\\User\\Desktop<\/span><\/li>\n<li><span class=\"rte-red-bullet\">C:\\Users\\Public\\Public Mediae\\<\/span><\/li>\n<li><span class=\"rte-red-bullet\">C:\\Users\\<username>\\Users\\<\/span><\/li>\n<\/ul>\n<h2><span class=\"body-subhead-title\">Analyzing persistence: how the attacker maintained access<\/span><\/h2>\n<p>To ensure continued access to the compromised systems, attacker used techniques involving the installation of persistence in the registry, the creation of scheduled tasks to maintain access (even in case of system restarts), the implementation of changes in credentials, and other potential disruptions that could result in lost access.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"500532\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool\/PlugX-WindowsDebugger8.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool\/PlugX-WindowsDebugger8.png\" alt=\"Figure 8. Persistence was created in the scheduled task and run registry \"> <\/a><figcaption>Figure 8. Persistence was created in the scheduled task and run registry <\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34.755884917175\">\n<div readability=\"14.895379250218\">\n<p>We noticed the creation of a scheduled task via the <a href=\"https:\/\/learn.microsoft.com\/windows-server\/administration\/windows-commands\/schtasks\">schtasks<\/a> command line utility to run a task at a specific time. In this case, the scheduled task is set to execute the x32dbg.exe file, the open source debugger tool that side loads PlugX, every five minutes. The task is disguised under the name “LKUFORYOU_1” to make it more difficult to detect.<\/p>\n<table border=\"1\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody readability=\"1.5\">\n<tr readability=\"4.5\">\n<td width=\"630\" valign=\"top\" readability=\"6\">\n<p><i><span class=\"blockquote\">Commandline: schtasks \/create \/sc minute \/mo 5 \/tn LKUFORYOU_1 \/tr<br \/>C:\\ProgramData\\UsersDate\\Windows_NT\\Windows\\User\\Desktop\\x32dbg.exe \/f<\/span><\/i><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>A brief summary of the parameters used:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">\/create: This option instructs the utility to create a new scheduled task.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">\/sc minute: This option specifies the frequency at which the task will be executed, which in this case is every five minutes.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">\/mo 5: This option sets the duration of the frequency for the scheduled task.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">\/tn LKUFORYOU_1: This option sets the name of the task as “LKUFORYOU_1”.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">\/tr C:\\ProgramData\\UsersDate\\Windows_NT\\Windows\\User\\Desktop\\x32dbg.exe: This option specifies the path of the executable that will be executed when the task is triggered.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">\/f: This option forces the task to be created without requiring user confirmation.<\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"6efcb4\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool\/PlugX-WindowsDebugger9.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool\/PlugX-WindowsDebugger9.png\" alt=\"Figure 9. The schtask utility was used to create persistence in the scheduled task\"> <\/a><figcaption>Figure 9. The schtask utility was used to create persistence in the scheduled task<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p>Further evidence supporting the persistence created by the scheduled task was discovered in the event logs via Event ID 100, which clearly showed the successful execution of the file (depicted in Figure 10).<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"4c3abe\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool\/PlugX-WindowsDebugger10.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool\/PlugX-WindowsDebugger10b.png\" alt=\"Figure 10. VisionOne Windows event log lelemetry for LKUFORYOU\"> <\/a> <\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"7be360\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool\/PlugX-WindowsDebugger10b.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool\/PlugX-WindowsDebugger10.png\" alt=\"Figure 10. VisionOne Windows event log lelemetry for LKUFORYOU\"> <\/a><figcaption>Figure 10. VisionOne Windows event log lelemetry for LKUFORYOU<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p>Figure 11 depicts where run registry keys were installed for persistence, and the data associated with them. These registry keys and values enable the threat to maintain persistence by automatically executing the x32dbg.exe file every time the user logs in.<\/p>\n<table border=\"1\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody readability=\"1.5\">\n<tr readability=\"3\">\n<td width=\"630\" valign=\"top\"><span class=\"blockquote\"><i>Registry Key: HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run<br \/>Registry Value Name: x32dbg<br \/>Registry Value Data: C:\\ProgramData\\UsersDate\\Windows_NT\\Windows\\User\\Desktop\\x32dbg.exe<\/i><\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"480a6b\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool\/PlugX-WindowsDebugger11.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool\/PlugX-WindowsDebugger11.png\" alt=\"Figure 11. Persistence in the run registry (this image came from ESX testing)\"> <\/a><figcaption>Figure 11. Persistence in the run registry (this image came from ESX testing)<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34\">\n<div readability=\"13\">\n<h2><span class=\"body-subhead-title\">Hiding in plain sight: DLL sideloading with x32dbg.exe<\/span><\/h2>\n<p>We observed x32dbge.exe being used to sideload the PlugX file x32bridge.dll (0490ceace858ff7949b90ab4acf4867878815d2557089c179c9971b2dd0918b9, detected as Trojan.Win32.KORPLUG.AJ). Sideloading can take advantage of the loader’s DLL search order by placing the malicious payload(s) and victim program side by side. This process is likely used by malicious actors as a cover for operations carried out within a trusted, legitimate, and maybe elevated system or software process.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"337ae6\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool\/PlugX-WindowsDebugger12.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool\/PlugX-WindowsDebugger12.png\" alt=\"Figure 12. x32dbge.exe sideloaded Plug X file x32bridge.dll (Trojan.Win32.KORPLUG.AJ)\"> <\/a><figcaption>Figure 12. x32dbge.exe sideloaded Plug X file x32bridge.dll (Trojan.Win32.KORPLUG.AJ)<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34\">\n<div readability=\"13\">\n<p>We observed that the file akm.dat (0e9071714a4af0be1f96cffc3b0e58520b827d9e58297cb0e02d97551eca3799, detected as Trojan.Win32.KROPLUG.AJ) was also registered and executed via rundll32, a Windows component which attackers can abuse to facilitate the execution of malicious code. By using rundll32.exe to execute the file, the attackers can prevent security tools from monitoring this activity.<\/p>\n<table border=\"1\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody readability=\"2.5\">\n<tr readability=\"7.5\">\n<td width=\"630\" valign=\"top\" readability=\"8\">\n<p><i><span class=\"blockquote\">rundll32 SHELL32.DLL, ShellExec_RunDLL rundll32<br \/>C:\\ProgramData\\UsersDate\\Windows_NT\\Windows\\User\\Desktop\\akm.dat,Start<\/span><\/i><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"66b208\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool\/PlugX-WindowsDebugger13.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool\/PlugX-WindowsDebugger13.png\" alt=\"Figure 13. The file akm.dat was executed via rundll32\"> <\/a><figcaption>Figure 13. The file akm.dat was executed via rundll32<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"42.5\">\n<div readability=\"30\">\n<p>Through reverse engineering, we were able to gain a deep understanding of how the threat operates. By analyzing the tactics and techniques used by the attacker, we can identify and prevent similar attacks in the future.<\/p>\n<p>Our analysis of this attack in VisionOne revealed that the threat heavily relied on DLL sideloading, which is a typical behavior of PlugX. However, this variant was unique in that it employed several components to perform various functions, including persistence, propagation, and backdoor communication. As a result, we were able to identify and isolate the different files used by the attacker in their routine.<\/p>\n<h2><span class=\"body-subhead-title\">Persistence and propagation: x32dbg.exe (with the components x32bridge.dll and x32bridge.dat)<\/span><\/h2>\n<p>The file x32dbg.exe is a legitimate executable of a debugging software which, when executed, imports x32bridge.dll and calls on the functions <i>BridgeStart<\/i> and <i>BridgeInit<\/i>. The attackers took advantage of this and replaced the DLL with their own, containing the same export functions but executing entirely different codes:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">BridgeStart \u2013 dummy code that does nothing<\/span><\/li>\n<li><span class=\"rte-red-bullet\">BridgeInit \u2013 Loads x32bridge.dat, decrypts its contents, then proceeds with the execution of the decrypted code.<\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"3d21ef\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool\/PlugX-WindowsDebugger14.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool\/PlugX-WindowsDebugger14.png\" alt=\"Figure 14. The structure of x32dbg.exe and x32bridge.dll \"> <\/a><figcaption>Figure 14. The structure of x32dbg.exe and x32bridge.dll <\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>The hardcoded key \u201cHELLO_USA_PRISIDENT\u201d is used to decode x32bridge.dat, after which execution will continue on the decrypted code.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"b286d0\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool\/PlugX-WindowsDebugger15.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool\/PlugX-WindowsDebugger15.png\" alt=\"Figure 15. Decoding x32bridge.dat using the hardcoded key\"> <\/a><figcaption>Figure 15. Decoding x32bridge.dat using the hardcoded key<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31.5\">\n<div readability=\"8\">\n<p>It will then check for an event named <i>LKU_Test_0.1<\/i> (or creates it if not found). This is followed by the execution of akm.dat found in the same folder. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"59eb69\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool\/PlugX-WindowsDebugger16.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool\/PlugX-WindowsDebugger16.png\" alt=\"Figure 16. Executing akm.dat\"> <\/a><figcaption>Figure 16. Executing akm.dat<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"36\">\n<div readability=\"17\">\n<p>Next, it creates the scheduled task <i>LKUFORYOU_1<\/i> to run x32dbg.exe persistently like what was observed in our VisionOne investigation.<\/p>\n<p>It then enumerates all drives and takes note of removable drives for its propagation routine. When found, it will delete files from any existing RECYCLER.BIN folder before creating a new one. It will copy its components that have the file extensions .exe, .dll, and .dat to the newly created folder and add a desktop.ini file.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"8ee891\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool\/PlugX-WindowsDebugger17.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool\/PlugX-WindowsDebugger17.png\" alt=\"Figure 17. Deleting the existing RECYCLER.BIN folder and creating a new one\"> <\/a><figcaption>Figure 17. Deleting the existing RECYCLER.BIN folder and creating a new one<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p>Next, it will proceed to its installation routine, where it copies all its components to several folders as listed on the VisionOne analysis.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"5b7ac3\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool\/PlugX-WindowsDebugger18.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool\/PlugX-WindowsDebugger18.png\" alt=\"Figure 18. The installation routine \"> <\/a><figcaption>Figure 18. The installation routine <\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<p>Once installed, it will run the file Mediae.exe (same file as x32dbg.exe), which will remain in memory, looping through the aforementioned routines.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"dfffec\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool\/PlugX-WindowsDebugger19a.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool\/PlugX-WindowsDebugger19a.png\" alt=\"Figure 19. Running Mediae.exe\"> <\/a> <\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"819ab5\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool\/PlugX-WindowsDebugger19b.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool\/PlugX-WindowsDebugger19b.png\" alt=\"Figure 19. Running Mediae.exe\"> <\/a><figcaption>Figure 19. Running Mediae.exe<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31.5\">\n<div readability=\"8\">\n<p>Mediae.exe also creates the event LKU_Test_0.2, possibly to signal a successful installation.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"5c3866\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool\/PlugX-WindowsDebugger20.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool\/PlugX-WindowsDebugger20.png\" alt=\"Figure 20. Creating LKU_Test_0.2 \"> <\/a><figcaption>Figure 20. Creating LKU_Test_0.2 <\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"35\">\n<div readability=\"15\">\n<p>As also seen in the VisionOne analysis, the malware checks if it already has an AutoStart registry key (x32dbg), and creates one if there isn\u2019t. Note that the execution path may vary depending on where x32dbg.exe \/ Mediae.exe was executed.<\/p>\n<h2><span class=\"body-subhead-title\">Next stage loader: akm.dat<\/span><\/h2>\n<p>The file akm.dat is a DLL with a straightforward function \u2014 to execute the next phase of the DLL sideloading routine. Its export function <i>Start<\/i> will execute the file AUG.exe (also included in the previous installation from x32dbg.exe).<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"1846da\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool\/PlugX-WindowsDebugger21.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool\/PlugX-WindowsDebugger21.png\" alt=\"Figure 21. The Start function executing AUG.exe\"> <\/a><figcaption>Figure 21. The Start function executing AUG.exe<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<h2><span class=\"body-subhead-title\">The backdoor UDP Shell: AUG.exe (with the components DismCore.dll and Groza_1.dat)<\/span><\/h2>\n<p>AUG.exe is a copy of DISM.EXE, a legitimate Microsoft file which is also vulnerable to DLL sideloading. It imports the function DllGetClassObject from DismCore.dll, which will decrypt the contents of Groza_1.dat using the hardcoded key <i>\u201cHapenexx is very bad\u201d.<\/i><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"6b8373\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool\/PlugX-WindowsDebugger22.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool\/PlugX-WindowsDebugger22.png\" alt=\"Figure 22. Decrypting Groza_1.dat using the hardcoded key\"> <\/a><figcaption>Figure 22. Decrypting Groza_1.dat using the hardcoded key<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>The execution will continue on the decrypted code, which is a UDP Shell client that does the following:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Collects host information such as the hostname, IP Address and Mac address and sends it to its command-and-control (C&C) server <i>160[.]20[.]147[.]254<\/i><\/span><\/li>\n<li><span class=\"rte-red-bullet\">Creates a thread to continuously wait for C&C commands<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Decrypts C&C communication using the hardcoded key <i>\u201cHappiness is a way station between too much and too little.\u201d<\/i><\/span><\/li>\n<li><span class=\"rte-red-bullet\">Hardcoded Debug Info found in file: <i>C:\\Users\\guss\\Desktop\\Recent Work\\UDP SHELL\\0.7 DLL\\UDPDLL\\Release\\UDPDLL.pdb<\/i><\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"bd5e86\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool\/PlugX-WindowsDebugger23a.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool\/PlugX-WindowsDebugger23a.png\" alt=\"Figure 23. The UDP shell client\"> <\/a> <\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"27f93c\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool\/PlugX-WindowsDebugger23b.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/23\/b\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool\/PlugX-WindowsDebugger23b.png\" alt=\"Figure 23. The UDP shell client\"> <\/a><figcaption>Figure 23. The UDP shell client<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"43.013821441913\">\n<div readability=\"32.260366081434\">\n<p>The discovery and analysis of the malware attack using the open-source debugger tool x32dbg.exe shows us that DLL side loading is still used by threat actors today because it is an effective way to circumvent security measures and gain control of a target system. Despite advances in security technology, attackers continue to use this technique since it exploits a fundamental trust in legitimate applications. This technique will remain viable for attackers to deliver malware and gain access to sensitive information as long as systems and applications continue to trust and load dynamic libraries.<\/p>\n<p>This incident highlights the importance of having a strong and robust cybersecurity system in place, as threat actors continue to find new ways to exploit vulnerabilities and launch sophisticated attacks. <a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/services\/managed-xdr.html\">Trend Micro Managed Extended Detection and Response<\/a> (MxDR) helps in the prevention of DLL sideloading attacks by taking a comprehensive approach to detecting, investigating, and responding to security incidents.<\/p>\n<p><a href=\"https:\/\/www.trendmicro.com\/en_ph\/business\/products\/detection-response\/xdr.html\">Trend XDR<\/a> integrates a variety of security technologies, such as endpoint protection, network security, and cloud security, to provide a comprehensive picture of an organization’s security posture. This enables MxDR to detect and prevent DLL sideloading attacks by detecting and blocking malicious activity at various stages of the attack lifecycle before it can cause harm. Furthermore, XDR can perform in-depth analysis and investigation of security incidents, allowing organizations to understand the impact and scope of an attack and respond appropriately.<\/p>\n<p>Here are some recommendations that IT administrators can put into place to prevent DLL side loading attacks:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\"><b>Implement whitelisting:<\/b> Allow only known and trusted applications to run on the system while blocking any suspicious or unknown ones.<\/span><\/li>\n<li><span class=\"rte-red-bullet\"><b>Use signed code:<\/b> Ensure that all DLLs are signed with a trusted digital signature to ensure their authenticity and integrity.<\/span><\/li>\n<li><span class=\"rte-red-bullet\"><b>Monitor and control application execution:<\/b> Monitor and control the execution of applications and their dependencies, including DLLs, to detect and prevent malicious activities.<\/span><\/li>\n<li><span class=\"rte-red-bullet\"><b>Educate end users:<\/b> Inform users about the dangers of DLL sideloading attacks and encourage them to exercise caution when installing or running unfamiliar software.<\/span><\/li>\n<li><span class=\"rte-red-bullet\"><b>Endpoint protection:<\/b> Use endpoint protection solutions that offer behavioral analysis and predictive machine learning for better security capabilities<\/span><\/li>\n<li><span class=\"rte-red-bullet\"><b>Implement effective incident response plans:<\/b> Establish a clear and well-defined incident response plan to detect, contain, and respond to security incidents as quickly as possible.<\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<div class=\"richText\">\n<div class=\"responsive-table-wrap\">\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\" width=\"100%\" height=\"5%\">\n<tbody readability=\"9\">\n<tr>\n<td><b>File name<\/b><\/td>\n<th scope=\"col\">SHA256<\/th>\n<th scope=\"col\">Detection name<\/th>\n<\/tr>\n<tr readability=\"4\">\n<td>x32dbg.exe <\/td>\n<td>ec5cf913773459da0fd30bb282fb0144b85717aa6ce660e81a0bad24a2f23e15<\/td>\n<td>Legitimate Windows debugger<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>x32bridge.dll <\/td>\n<td>0490ceace858ff7949b90ab4acf4867878815d2557089c179c9971b2dd0918b9<\/td>\n<td>Trojan.Win32.KORPLUG.AJ<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>akm.dat <\/td>\n<td>0e9071714a4af0be1f96cffc3b0e58520b827d9e58297cb0e02d97551eca3799<\/td>\n<td>Trojan.Win32.KORPLUG.AJ<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>x32bridge.dat <\/td>\n<td>e72e49dc1d95efabc2c12c46df373173f2e20dab715caf58b1be9ca41ec0e172<\/td>\n<td>Trojan.Win32.KORPLUG.AJ.enc<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>DismCore.dll<\/td>\n<td>b4f1cae6622cd459388294afb418cb0af7a5cb82f367933e57ab8c1fb0a8a8a7<\/td>\n<td>Trojan.Win32.KORPLUG.AJ<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>Groza_1.dat<\/td>\n<td>553ff37a1eb7e8dc226a83fa143d6aab8a305771bf0cec7b94f4202dcd1f55b2<\/td>\n<td>Trojan.Win32.KORPLUG.AJ.enc<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<div class=\"richText\">\n<div class=\"responsive-table-wrap\">\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\" width=\"100%\" height=\"5%\">\n<tbody>\n<tr>\n<td><b>IP address \/ URL<\/b><\/td>\n<th scope=\"col\">Description<\/th>\n<\/tr>\n<tr>\n<td>160[.]20[.]147[.]254<\/td>\n<td>C&C Server<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p>   <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p>   <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/23\/b\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Trend Micro\u2019s Managed Extended Detection and Response (MxDR) team discovered that a file called x32dbg.exe was used to sideload a malicious DLL we identified as a variant of PlugX. Read More HERE…<\/p>\n","protected":false},"author":2,"featured_media":50724,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9508,9513,9509],"class_list":["post-50723","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-endpoints","tag-trend-micro-research-malware","tag-trend-micro-research-research"],"yoast_head":"\n<title>Investigating the PlugX Trojan Disguised as a Legitimate Windows Debugger Tool 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Investigating the PlugX Trojan Disguised as a Legitimate Windows Debugger Tool 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2023-02-24T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/23\/PlugX-WindowsDebugger641.png\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"13 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Investigating the PlugX Trojan Disguised as a Legitimate Windows Debugger Tool\",\"datePublished\":\"2023-02-24T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool\\\/\"},\"wordCount\":2517,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/02\\\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool.png\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Endpoints\",\"Trend Micro Research : Malware\",\"Trend Micro Research : Research\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool\\\/\",\"name\":\"Investigating the PlugX Trojan Disguised as a Legitimate Windows Debugger Tool 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/02\\\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool.png\",\"datePublished\":\"2023-02-24T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/02\\\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool.png\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/02\\\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool.png\",\"width\":365,\"height\":356},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Investigating the PlugX Trojan Disguised as a Legitimate Windows Debugger Tool\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n","yoast_head_json":{"title":"Investigating the PlugX Trojan Disguised as a Legitimate Windows Debugger Tool 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool\/","og_locale":"en_US","og_type":"article","og_title":"Investigating the PlugX Trojan Disguised as a Legitimate Windows Debugger Tool 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2023-02-24T00:00:00+00:00","og_image":[{"url":"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/23\/PlugX-WindowsDebugger641.png","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"13 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Investigating the PlugX Trojan Disguised as a Legitimate Windows Debugger Tool","datePublished":"2023-02-24T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool\/"},"wordCount":2517,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/02\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool.png","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Endpoints","Trend Micro Research : Malware","Trend Micro Research : Research"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool\/","url":"https:\/\/www.threatshub.org\/blog\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool\/","name":"Investigating the PlugX Trojan Disguised as a Legitimate Windows Debugger Tool 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/02\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool.png","datePublished":"2023-02-24T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/02\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool.png","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/02\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool.png","width":365,"height":356},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"Investigating the PlugX Trojan Disguised as a Legitimate Windows Debugger Tool"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/50723","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=50723"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/50723\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/50724"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=50723"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=50723"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=50723"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":50723,"date":"2023-02-24T00:00:00","date_gmt":"2023-02-24T00:00:00","guid":{"rendered":"urn:uuid:7ddeb852-365c-57b4-559e-231b72da5484"},"modified":"2023-02-24T00:00:00","modified_gmt":"2023-02-24T00:00:00","slug":"investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/investigating-the-plugx-trojan-disguised-as-a-legitimate-windows-debugger-tool\/","title":{"rendered":"Investigating the PlugX Trojan Disguised as a Legitimate Windows Debugger Tool"},"content":{"rendered":"