The Unseen Danger
Despite its creators moving on, the PlugX malware continues to pose a threat, with millions of devices still connected. This is a warning that experts have recently issued.
The Investigation
Cybersecurity analysts from Sekoia were able to secure the IP address linked to the malware’s command and control (C2) server. Over six months, they monitored the connection requests.
During their analysis, they found that infected endpoints were making 90,000 connection attempts daily. This added up to a staggering total of 2.5 million connections. The devices in question were spread across 170 countries. However, a mere 15 countries accounted for over 80% of the total infections. The top eight included Nigeria, India, China, Iran, Indonesia, the UK, Iraq, and the United States.
The Risk Remains
While the number of infected endpoints worldwide may seem high, the researchers caution that the figures may not be entirely accurate. The malware’s C2 lacks unique identifiers, which can skew the results as multiple compromised workstations can share the same IP address.
Moreover, if any of the devices operate on a dynamic IP system, a single device can appear as several. Lastly, many connections could be routed through VPN services, rendering country-specific statistics irrelevant.
The Origin and Evolution of PlugX
First detected in 2008, PlugX was used in cyber-espionage campaigns by Chinese state-sponsored threat actors. The primary targets were organizations in the government, defense, and technology sectors, mostly in Asia. The malware could execute commands, download and upload files, log keystrokes, and access system information. Over time, it developed additional features, such as the ability to spread autonomously via USB drives, making containment nearly impossible today. The list of targets also expanded to include the West.
However, after the source code leaked in 2015, PlugX transformed into a more “common” malware. It was adopted by various groups, both state-sponsored and financially motivated, likely leading to the original developers abandoning it.
