Palo Alto Network Inc.’s Unit 42 threat intelligence team has detailed a new Chinese-linked cyberespionage group that’s targeting countries primarily in Southeast Asia.

Dubbed “PKPLUG,” the threat actor group, or possibly groups, uses the tactic of delivering PlugX malware inside ZIP archive files as part of a DLL side-loading package. The ZIP file format contains PK in its header, hence the name PKPLUG.

In addition to using the PlugX malware, the group was also found to be using other custom malware families including HenBox, an Android app and Farseer, a Windows backdoor. The researchers also found related attacks going back as far as six years, meaning the group could possibly be longstanding or is using similar tactics to those used by another group.

Where the plot thickens is that the Unit 42 researchers couldn’t clearly ascertain the objectives of PKPLUG beyond the Trojan virus allowing the group to track victims and gather information. Victims have been located particularly in Myanmar, Taiwan, Vietnam and Indonesia ,with others also likely in Mongolia and the Chinese autonomous regions of Tibet and Xinjiang.

Most of the target countries and autonomous regions have issues with China. Xinjiang in China’s far west has Muslim terrorists and has been subject to publicity over the Middle Kingdom’s reeducation policies, which some in the west suggest are concentration camps. Tibet needs little introduction, the region long monitored for insurgency by China while Taiwan is regarded by Beijing to be a rogue province.

Meanwhile, Vietnam is in a dispute with China over the South China Sea, while China has issues with Myanmar because of rebels on their shared borders. The only mystery countries on the list are Indonesia and Mongolia.

“Based on targeting, content in some of the malware and ties to infrastructure previously documented publicly as being linked to Chinese nation-state adversaries, Unit 42 believes with high confidence that PKPLUG has similar origins,” the report concludes.

Image: Pixabay