{"id":55372,"date":"2024-02-20T00:00:00","date_gmt":"2024-02-20T00:00:00","guid":{"rendered":"urn:uuid:95344ae6-16f4-ecbd-c238-c02704705f82"},"modified":"2024-02-20T00:00:00","modified_gmt":"2024-02-20T00:00:00","slug":"earth-preta-campaign-uses-doplugs-to-target-asia","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/earth-preta-campaign-uses-doplugs-to-target-asia\/","title":{"rendered":"Earth Preta Campaign Uses DOPLUGS to Target Asia"},"content":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/doplugs-cover-1:Large?qlt=80\"><\/p>\n<div><img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/24\/doplugs-cover.png\" class=\"ff-og-image-inserted\"><\/div>\n<p>All the files under these folders will be copied to <i>{USB_volume}:\\Usb Disk\\<\/i>:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\"><i>{USB_volume}:\\<\/i><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><i>{USB_volume}:\\Kaspersky\\<\/i><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><i>{USB_volume}:\\Kaspersky\\Usb Drive\\<\/i><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><i>{USB_volume}:\\Usb Drive\\3.0\\<\/i><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><i>{USB_volume}:\\Kaspersky\\Removable Disk\\<\/i> (Including files in subfolder)<\/span><\/li>\n<li><span class=\"rte-red-bullet\"><i>{USB_volume}:\\AVAST\\Protection for Autorun\\<\/i> (Including files in subfolder)<\/span><\/li>\n<li><span class=\"rte-red-bullet\"><i>{USB_volume}:\\SMADAV\\SMADAV\\<\/i> (Including files in subfolder)<\/span><\/li>\n<\/ul>\n<h5><span class=\"body-subhead-title\"><\/span><\/h5>\n<p>This thread creates the mutex, <i>USB_NOTIFY3_COP_{USB_volume}<\/i>, for mark. There are two kinds of stealing conditions, each of which we discuss here:<\/p>\n<h6><span class=\"body-subhead-title\"><\/span><b><\/b><\/h6>\n<p>If the connection succeeds in connecting to<i> <a href=\"https:\/\/www.microsoft.com\/\">https:\/\/www.microsoft.com\/<\/a><\/i>, it will check the file extensions in these predefined folders:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\"><i>{USB_volume}:\\Kaspersky\\Usb Drive\\1.0\\<\/i><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><i>{USB_volume}:\\Usb Drive\\1.0\\<\/i><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><i>{USB_volume}:\\.System\\Device\\USB\\3.0\\Kaspersky\\Usb Drive\\1.0<\/i><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><i>{USB_volume}:\\.System\\Device\\USB\\3.0\\Usb Drive\\1.0\\<\/i><\/span><\/li>\n<\/ul>\n<p>If the file extensions are not .<i>cmd<\/i>, .<i>bat<\/i>, or .<i>dll<\/i> and the file name is not <i>RECYCLERS.BIN<\/i>, it will transfer the file to <i>%userprofile%\\AppData\\Roaming\\Render\\1.0\\<\/i>&nbsp; and empty the content of the original file.<\/p>\n<p>We also found another functionality, but it seems that it has not been implemented as of this writing. This functionality collects all files under the same folders and looks for the files with the following extensions:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">.doc<\/span><\/li>\n<li><span class=\"rte-red-bullet\">.docx<\/span><\/li>\n<li><span class=\"rte-red-bullet\">.ppt<\/span><\/li>\n<li><span class=\"rte-red-bullet\">.pptx<\/span><\/li>\n<li><span class=\"rte-red-bullet\">&nbsp;.xls<\/span><\/li>\n<li><span class=\"rte-red-bullet\">.xlsx<\/span><\/li>\n<li><span class=\"rte-red-bullet\">.pdf<\/span><\/li>\n<\/ul>\n<p>Afterward, it will encode the file name with base64, encrypt the file content, and copy the file to the folder of the current process.<\/p>\n<p>Here is the XOR algorithm to encrypt the stolen files:<\/p>\n<p><span class=\"blockquote\">encrypted_contents = []<\/span><\/p>\n<p>encrypted_key = 0x6D<\/p>\n<p>for i in range(len(contents)):<\/p>\n<p>&nbsp; &nbsp; encrypted_contents.append(contents[i] ^ encrypted_key)<\/p>\n<p>&nbsp; &nbsp; encrypted_key += 0xAA<\/p>\n<h6><span class=\"body-subhead-title\"><\/span><b><\/b><\/h6>\n<p>If the connection fails, the thread checks the value in registry <i>(HKCU|HKLM)\\System\\CurrentControlSet\\Control\\Network\\Version,<\/i><b> <\/b>which does not exist. Afterward, it creates and executes the batch script <i>%temp%\\edg{value of QueryPerformanceCounter}.bat<\/i> to collect the information of the victim.<\/p>\n<p><span class=\"blockquote\">%comspec% \/q \/c systeminfo &gt;&#8221;%~dp0AE353BBEB1C6603E_E.dat&#8221;<\/span><\/p>\n<p>%comspec% \/q \/c ipconfig \/all &gt;&gt;&#8221;%~dp0AE353BBEB1C6603E_E.dat&#8221;<\/p>\n<p>%comspec% \/q \/c netstat -ano &gt;&gt;&#8221;%~dp0AE353BBEB1C6603E_E.dat&#8221;<\/p>\n<p>%comspec% \/q \/c arp -a &gt;&gt;&#8221;%~dp0AE353BBEB1C6603E_E.dat&#8221;<\/p>\n<p>%comspec% \/q \/c tasklist \/v &gt;&gt;&#8221;%~dp0AE353BBEB1C6603E_E.dat&#8221;<\/p>\n<p>del %0<\/p>\n<p>The output data will then be encrypted and dropped <i>to {USB_volume}:\\Usb Drive\\1.0\\ {value of SOFTWARE\\CLASSES\\ms-pu\\CLSID}.dat<\/i>.<\/p>\n<h5><span class=\"body-subhead-title\"><\/span><\/h5>\n<p>This thread creates the mutex, <i>USB_NOTIFY_BAT_H3_{USB_volume}<\/i><b> <\/b>for mark, which will be executed only under these conditions:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">When connection with <i>https:\/\/www.microsoft.com<\/i> fails<\/span><\/li>\n<li><span class=\"rte-red-bullet\">When there is no value in <i>System\\\\CurrentControlSet\\\\Control\\\\Network\\\\version<\/i> (this registry is enabled when argument of cmd line = \u201c-net\u201d)<\/span><\/li>\n<\/ul>\n<p>The thread will search all batch scripts inside the following folders:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\"><i>{USB_volume}:\\Usb Drive\\1.0\\p\\<\/i><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><i>{USB_volume}:\\Kaspersky\\Usb Drive\\1.0\\p\\<\/i><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><i>{USB_volume}:\\.System\\Device\\USB\\3.0\\Usb Drive\\1.0\\p\\<\/i><\/span><\/li>\n<\/ul>\n<p>If the batch script name does not contain the strings <i>tmpc_<\/i> or <i>tmp_<\/i>, the script will be decrypted via XOR algorithm, which is the same as the file encryption in the thread 2 subsection. The new batch will then be created in <i>%temp%\\{value of QueryPerformanceCounter}.bat<\/i> and executed by <i>ShellExecuteW<\/i> with the following contents:<\/p>\n<p><span class=\"blockquote\">{USB_volume}<br \/>cd &#8220;{USB_volume}:\\target folder\\&#8221;<br \/>{decrypted contents in batch file}<br \/>del %0<\/span><\/p>\n<h4>DOPLUGS backdoor behavior (Command and Control)<\/h4>\n<p>This behavior is the same as the original piece of DOPLUGS malware and is responsible for C&amp;C communication, backdoor commands, and downloading the next-stage general type of the PlugX malware.<\/p>\n<h4><span class=\"body-subhead-title\"><\/span><\/h4>\n<p>The following command line is executed to set up scheduled tasks to enable Wi-Fi connection:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">cmd.exe \/c schtasks.exe \/create \/sc minute \/mo 30 \/tn &#8220;Security WIFI Script&#8221; \/tr &#8220;netsh interface set interface &#8220;&#8221;&#8221;Wireless Network Connection&#8221;&#8221;&#8221; enabled&#8221; \/ru SYSTEM \/F&amp;schtasks.exe \/run \/tn &#8220;Security WIFI Script&#8221;&nbsp;<\/span><\/li>\n<li><span class=\"rte-red-bullet\">cmd.exe \/c schtasks.exe \/create \/sc minute \/mo 30 \/tn &#8220;Security WIFI2 Script&#8221; \/tr &#8220;netsh interface set interface &#8220;&#8221;&#8221;Wireless Network Connection 2&#8243;&#8221;&#8221; enabled&#8221; \/ru SYSTEM \/F&amp;schtasks.exe \/run \/tn &#8220;Security WIFI2 Script&#8221;&nbsp;<\/span><\/li>\n<li><span class=\"rte-red-bullet\">cmd.exe \/c schtasks.exe \/create \/sc minute \/mo 30 \/tn &#8220;Security WIFI3 Script&#8221; \/tr &#8220;netsh interface set interface &#8220;&#8221;&#8221;Wireless Network Connection 3&#8243;&#8221;&#8221; enabled&#8221; \/ru SYSTEM \/F&amp;schtasks.exe \/run \/tn &#8220;Security WIFI3 Script&#8221;<\/span><\/li>\n<\/ul>\n<h2><span class=\"body-subhead-title\">Old variant<\/span><\/h2>\n<p>In addition to DOPLUGS, we hunted down several customized PlugX malware samples that are also equipped with the KillSomeOne module. Based on our investigation, this integration would have been active for three years, with <a href=\"https:\/\/www.avira.com\/en\/blog\/new-wave-of-plugx-targets-hong-kong\">the report published by Avira<\/a> being the first to reveal this technique. The sample mentioned in Avira\u2019s report is the first PlugX variant with the KillSomeOne module designed for spreading via USB.<\/p>\n<p>The following table is a list of different PlugX malware types with integrate KillSomeOne variants:<\/p>\n<p> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/24\/b\/earth-preta-campaign-targets-asia-doplugs.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this blog entry, we focus on Earth Preta&#8217;s campaign that employed a variant of the DOPLUGS malware to target Asian countries. Read More HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":55373,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9546,9510,9508,9513,9509],"class_list":["post-55372","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trendmicro","tag-trend-micro-research-apttargeted-attacks","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-endpoints","tag-trend-micro-research-malware","tag-trend-micro-research-research"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.8 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Earth Preta Campaign Uses DOPLUGS to Target Asia 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/earth-preta-campaign-uses-doplugs-to-target-asia\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Earth Preta Campaign Uses DOPLUGS to Target Asia 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/earth-preta-campaign-uses-doplugs-to-target-asia\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2024-02-20T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/doplugs-cover-1:Large?qlt=80\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/earth-preta-campaign-uses-doplugs-to-target-asia\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/earth-preta-campaign-uses-doplugs-to-target-asia\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Earth Preta Campaign Uses DOPLUGS to Target Asia\",\"datePublished\":\"2024-02-20T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/earth-preta-campaign-uses-doplugs-to-target-asia\/\"},\"wordCount\":795,\"publisher\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/earth-preta-campaign-uses-doplugs-to-target-asia\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2024\/02\/earth-preta-campaign-uses-doplugs-to-target-asia.png\",\"keywords\":[\"Trend Micro Research : APT&amp;Targeted Attacks\",\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Endpoints\",\"Trend Micro Research : Malware\",\"Trend Micro Research : Research\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/earth-preta-campaign-uses-doplugs-to-target-asia\/\",\"url\":\"https:\/\/www.threatshub.org\/blog\/earth-preta-campaign-uses-doplugs-to-target-asia\/\",\"name\":\"Earth Preta Campaign Uses DOPLUGS to Target Asia 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/earth-preta-campaign-uses-doplugs-to-target-asia\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/earth-preta-campaign-uses-doplugs-to-target-asia\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2024\/02\/earth-preta-campaign-uses-doplugs-to-target-asia.png\",\"datePublished\":\"2024-02-20T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/earth-preta-campaign-uses-doplugs-to-target-asia\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.threatshub.org\/blog\/earth-preta-campaign-uses-doplugs-to-target-asia\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/earth-preta-campaign-uses-doplugs-to-target-asia\/#primaryimage\",\"url\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2024\/02\/earth-preta-campaign-uses-doplugs-to-target-asia.png\",\"contentUrl\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2024\/02\/earth-preta-campaign-uses-doplugs-to-target-asia.png\",\"width\":976,\"height\":533},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/earth-preta-campaign-uses-doplugs-to-target-asia\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.threatshub.org\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : APT&amp;Targeted Attacks\",\"item\":\"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-apttargeted-attacks\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Earth Preta Campaign Uses DOPLUGS to Target Asia\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#website\",\"url\":\"https:\/\/www.threatshub.org\/blog\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\/\/www.threatshub.org\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/x.com\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Earth Preta Campaign Uses DOPLUGS to Target Asia 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/earth-preta-campaign-uses-doplugs-to-target-asia\/","og_locale":"en_US","og_type":"article","og_title":"Earth Preta Campaign Uses DOPLUGS to Target Asia 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/earth-preta-campaign-uses-doplugs-to-target-asia\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2024-02-20T00:00:00+00:00","og_image":[{"url":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/doplugs-cover-1:Large?qlt=80","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/earth-preta-campaign-uses-doplugs-to-target-asia\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/earth-preta-campaign-uses-doplugs-to-target-asia\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Earth Preta Campaign Uses DOPLUGS to Target Asia","datePublished":"2024-02-20T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/earth-preta-campaign-uses-doplugs-to-target-asia\/"},"wordCount":795,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/earth-preta-campaign-uses-doplugs-to-target-asia\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2024\/02\/earth-preta-campaign-uses-doplugs-to-target-asia.png","keywords":["Trend Micro Research : APT&amp;Targeted Attacks","Trend Micro Research : Articles, News, Reports","Trend Micro Research : Endpoints","Trend Micro Research : Malware","Trend Micro Research : Research"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/earth-preta-campaign-uses-doplugs-to-target-asia\/","url":"https:\/\/www.threatshub.org\/blog\/earth-preta-campaign-uses-doplugs-to-target-asia\/","name":"Earth Preta Campaign Uses DOPLUGS to Target Asia 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/earth-preta-campaign-uses-doplugs-to-target-asia\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/earth-preta-campaign-uses-doplugs-to-target-asia\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2024\/02\/earth-preta-campaign-uses-doplugs-to-target-asia.png","datePublished":"2024-02-20T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/earth-preta-campaign-uses-doplugs-to-target-asia\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/earth-preta-campaign-uses-doplugs-to-target-asia\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/earth-preta-campaign-uses-doplugs-to-target-asia\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2024\/02\/earth-preta-campaign-uses-doplugs-to-target-asia.png","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2024\/02\/earth-preta-campaign-uses-doplugs-to-target-asia.png","width":976,"height":533},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/earth-preta-campaign-uses-doplugs-to-target-asia\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : APT&amp;Targeted Attacks","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-apttargeted-attacks\/"},{"@type":"ListItem","position":3,"name":"Earth Preta Campaign Uses DOPLUGS to Target Asia"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/55372","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=55372"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/55372\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/55373"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=55372"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=55372"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=55372"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}