This threat involves a newly identified variant of the PlugX malware family, which is being deployed in a targeted campaign against telecommunications and manufacturing sectors primarily in Central and South Asian countries. The campaign has been active since 2022 and exhibits technical and operational overlaps with other malware families such as RainyDay and Turian. These overlaps include the abuse of legitimate applications for DLL search order hijacking (DLL sideloading), shared encryption methods (notably RC4 keys for payload decryption), and similar infection chains, loaders, and shellcode structures. The configuration format of this new PlugX variant closely resembles that of RainyDay, suggesting a common origin or shared development resources, attributed to the Chinese-speaking threat actor group Naikon. Furthermore, analysis indicates a potential connection between Naikon and another threat actor group known as BackdoorDiplomacy, possibly indicating that these groups source tools from the same vendor or collaborate. The malware leverages DLL search order hijacking, a technique where malicious DLLs are placed in locations that are loaded preferentially by legitimate applications, allowing stealthy execution of malicious code without raising immediate suspicion. The campaign’s use of sophisticated infection chains and shared cryptographic keys points to an evolution in tactics, techniques, and procedures (TTPs) among Chinese-speaking advanced persistent threat (APT) actors, demonstrating convergence and reuse of toolsets across previously distinct groups. The absence of known exploits in the wild suggests the infection vectors may rely on social engineering, spear-phishing, or exploitation of less-publicized vulnerabilities. The campaign’s focus on critical infrastructure sectors like telecommunications and manufacturing highlights its strategic intent, potentially for espionage or long-term access.

For European organizations, particularly those in telecommunications and manufacturing sectors, this threat poses significant risks. If the malware were to spread or be adapted to target European entities, it could lead to unauthorized access, data exfiltration, espionage, and potential disruption of critical services. Telecommunications providers are integral to national infrastructure, and compromise could affect data confidentiality and integrity, impacting customer privacy and service reliability. Manufacturing firms, especially those involved in critical supply chains or advanced technologies, could face intellectual property theft and operational disruptions. The use of DLL hijacking allows the malware to evade traditional detection mechanisms, increasing the likelihood of prolonged undetected presence within networks. Given the malware’s sophisticated encryption and shared toolsets, incident response and forensic analysis could be complicated, delaying remediation. Additionally, the potential linkage to Chinese-speaking APT groups suggests a geopolitical dimension, where espionage motives could target European strategic industries or government-related telecommunications infrastructure. This threat could also be leveraged for supply chain attacks, given the interconnected nature of manufacturing and telecom sectors across Europe.

European organizations should implement targeted mitigations beyond generic advice: 1) Conduct thorough application whitelisting and restrict execution of unauthorized DLLs, especially in critical systems, to prevent DLL hijacking. 2) Employ advanced endpoint detection and response (EDR) solutions capable of detecting anomalous DLL loading behaviors and suspicious process injections. 3) Regularly audit and harden the DLL search order on endpoints and servers by ensuring that application directories do not contain untrusted DLLs and that system PATH variables are secured. 4) Monitor network traffic for unusual encrypted communications or connections to known command and control (C2) infrastructure associated with Naikon or related APT groups. 5) Implement strict segmentation between corporate and operational technology (OT) networks in manufacturing environments to limit lateral movement. 6) Enhance phishing awareness training focused on spear-phishing tactics used by APT groups. 7) Collaborate with national cybersecurity centers and share threat intelligence related to Naikon and associated malware families to improve detection capabilities. 8) Perform regular threat hunting exercises focusing on indicators of DLL sideloading and RC4-encrypted payloads. 9) Maintain up-to-date backups and incident response plans tailored to advanced persistent threats targeting critical infrastructure.