A telecommunications company in Kazakhstan was targeted by the China-linked APT group Naikon (Lotus Panda) as part of an ongoing cyber espionage campaign distributing a new PlugX malware variant. The attack leveraged DLL side-loading via a legitimate Mobile Popup Application executable to decrypt and execute malicious payloads (PlugX, RainyDay, and Turian backdoors) in memory. The PlugX variant included an embedded keylogger plugin, enabling data exfiltration, persistent access, and potential lateral movement within the network. The campaign exhibited strong ties to Chinese state-sponsored actors, with overlaps in encryption methods (XOR-RC4-RtlDecompressBuffer), target selection (telecom and manufacturing sectors in Central/South Asia), and tooling shared with BackdoorDiplomacy (another China-aligned APT). While the exact data compromised was not disclosed, the focus on telecom infrastructure suggests risks of intellectual property theft, customer data exposure, or disruption of critical communication services. The attack aligns with long-term espionage objectives, potentially threatening regional economic stability and national security due to the strategic importance of telecom networks in Kazakhstan a country bordering multiple high-risk geopolitical zones.
Source: https://thehackernews.com/2025/09/china-linked-plugx-and-bookworm-malware.html
TPRM report: https://www.rankiteo.com/company/kazakhtelecom-jsc
"id": "kaz0632406092725",
"linkid": "kazakhtelecom-jsc",
"type": "Cyber Attack",
"date": "9/2025",
"severity": "100",
"impact": "6",
"explanation": "Attack threatening the economy of geographical region"{'affected_entities': [{'industry': 'Telecom',
'location': 'Kazakhstan (Central Asia)',
'name': 'Unnamed Telecom Firm (Kazakhstan)',
'type': 'Telecommunications'},
{'industry': 'Telecom',
'location': ['Central Asia', 'South Asia'],
'name': 'Central/South Asian Telecommunications Sector',
'type': 'Industry Sector'},
{'industry': 'Manufacturing',
'location': ['Central Asia', 'South Asia'],
'name': 'Central/South Asian Manufacturing Sector',
'type': 'Industry Sector'},
{'location': 'Southeast Asia',
'name': 'ASEAN-Affiliated Countries',
'type': 'Geopolitical Region'}],
'attack_vector': ['DLL Side-Loading (via Mobile Popup Application executable)',
'Legitimate Application Abuse',
'Memory-Based Payload Execution (PlugX, RainyDay, Turian)',
'Modular Malware Deployment (Bookworm)',
'UUID-Encoded Shellcode (Bookworm variants)',
'Compromised Infrastructure for C2 (Bookworm)'],
'data_breach': {'data_encryption': ['XOR-RC4-RtlDecompressBuffer (payload '
'encryption)',
'RC4 keys reused across campaigns'],
'data_exfiltration': ['Likely (via PlugX/RainyDay/Turian C2)',
'Confirmed for Bookworm (file upload '
'capability)'],
'sensitivity_of_data': ['High (potential intelligence value)',
'Operational data '
'(telecom/manufacturing)'],
'type_of_data_compromised': ['Potential keylogger-captured '
'data (PlugX)',
'System metadata (via RAT '
'commands)',
'Exfiltrated files (Bookworm '
'upload functionality)']},
'date_publicly_disclosed': '2024-05-20T00:00:00Z',
'description': 'Telecommunications and manufacturing sectors in Central and '
'South Asian countries have been targeted by an ongoing '
'campaign distributing a new variant of the PlugX malware (aka '
'Korplug or SOGU). The variant shares features with RainyDay '
'and Turian backdoors, including DLL side-loading abuse, '
'XOR-RC4-RtlDecompressBuffer encryption, and RC4 keys. The '
'campaign is linked to China-aligned threat actors, including '
'Lotus Panda (Naikon APT) and BackdoorDiplomacy, with '
'potential tool-sharing or operational overlaps. Attack chains '
'involve sideloading malicious DLLs via legitimate executables '
'(e.g., Mobile Popup Application) to deploy PlugX, RainyDay, '
'and Turian payloads in memory. The PlugX variant includes an '
"embedded keylogger plugin and adopts RainyDay's configuration "
'structure. Targets include a telecom firm in Kazakhstan, with '
'broader focus on South Asian countries. Parallelly, Mustang '
"Panda's Bookworm malware (active since 2015) has been "
'detailed, featuring modular RAT capabilities, UUID-encoded '
'shellcode, and overlaps with TONESHELL backdoor.',
'impact': {'brand_reputation_impact': ['Reputational risk for targeted '
'telecom/manufacturing firms',
'Potential loss of trust in regional '
'cybersecurity posture'],
'data_compromised': ['Potential exfiltration via PlugX keylogger '
'plugin',
'Data targeted by modular Bookworm RAT '
'(arbitrary commands, file upload/download)'],
'operational_impact': ['Persistent access by APT groups',
'Potential lateral movement within networks',
'C2 beaconing via compromised '
'infrastructure (Bookworm)'],
'systems_affected': ['Telecommunications firms (e.g., Kazakhstan '
'telecom company)',
'Manufacturing sector entities',
'Systems running Mobile Popup Application '
'(DLL side-loading vector)',
'ASEAN-affiliated countries (Bookworm '
'targets)']},
'initial_access_broker': {'backdoors_established': ['PlugX (with RainyDay '
'configuration structure)',
'RainyDay',
'Turian',
'Bookworm (modular RAT)',
'TONESHELL (overlaps with '
'Bookworm)'],
'entry_point': ['DLL side-loading via Mobile Popup '
'Application',
'Compromised infrastructure '
'(Bookworm C2)'],
'high_value_targets': ['Telecommunications firms '
'(e.g., network diagrams, '
'customer data)',
'Manufacturing sector '
'(intellectual property, '
'operational data)',
'ASEAN-affiliated entities '
'(geopolitical '
'intelligence)']},
'investigation_status': 'Ongoing (active campaign)',
'lessons_learned': ['Overlap in TTPs (DLL side-loading, encryption methods) '
'suggests potential tool-sharing or vendor relationships '
'among China-linked APT groups.',
'Modular malware (e.g., Bookworm) increases evasion '
'capabilities by dynamically loading functionality from '
'C2.',
'Legitimate application abuse (e.g., Mobile Popup '
'Application) highlights the need for behavioral '
'detection beyond signature-based defenses.',
'Geopolitical targeting patterns (Central/South Asia, '
'ASEAN) indicate strategic intelligence collection '
'priorities.'],
'motivation': ['Cyber Espionage',
'Intelligence Gathering',
'Long-Term Persistence',
'Tool/Infrastructure Sharing (potential)'],
'post_incident_analysis': {'root_causes': ['Abuse of legitimate applications '
'for DLL side-loading',
'Lack of behavioral detection for '
'in-memory payload execution',
'Reuse of encryption keys across '
'malware families (operational '
'security failure)',
'Potential insider threats or '
'supply chain compromises in '
'telecom/manufacturing sectors']},
'recommendations': ['Monitor for DLL side-loading activity, particularly '
'involving legitimate executables like Mobile Popup '
'Application.',
'Deploy behavioral analysis tools to detect memory-based '
'payload execution (e.g., PlugX in-memory decryption).',
'Inspect network traffic for C2 beaconing to compromised '
'infrastructure or lookalike domains (Bookworm tactic).',
'Hunt for RC4/XOR encryption artifacts and reused keys '
'across malware families.',
'Assess supply chain risks for telecom/manufacturing '
'sectors in Central/South Asia.',
'Share indicators of compromise (IOCs) with regional '
'ISACs to disrupt APT operations.',
'Review access controls for high-value targets (e.g., '
'telecom network diagrams, manufacturing IP).'],
'references': [{'date_accessed': '2024-05-20',
'source': 'Cisco Talos Analysis: New PlugX Variant with '
'RainyDay/Turian Overlaps',
'url': 'https://blog.talosintelligence.com/'},
{'date_accessed': '2024-05-20',
'source': 'Palo Alto Networks Unit 42: Mustang Panda’s '
'Bookworm Malware',
'url': 'https://unit42.paloaltonetworks.com/'},
{'source': 'Kaspersky: FoundCore/Cycldek Attribution',
'url': 'https://securelist.com/'}],
'response': {'third_party_assistance': ['Cisco Talos (analysis)',
'Palo Alto Networks Unit 42 (Bookworm '
'analysis)',
'Kaspersky (attribution references)']},
'threat_actor': [{'aliases': ['Naikon APT',
'FoundCore (Kaspersky)',
'Cycldek'],
'attribution': 'China-linked',
'confidence': 'Medium',
'name': 'Lotus Panda'},
{'aliases': ['CloudComputating', 'Faking Dragon'],
'attribution': 'China-linked',
'confidence': 'Medium',
'name': 'BackdoorDiplomacy'},
{'aliases': ['BASIN',
'Bronze President',
'Camaro Dragon',
'Earth Preta',
'HoneyMyte',
'RedDelta',
'Red Lich',
'Stately Taurus',
'TEMP.Hex',
'Twill Typhoon'],
'attribution': 'China-aligned',
'confidence': 'High',
'name': 'Mustang Panda'}],
'title': 'Ongoing PlugX (Korplug/SOGU) Malware Campaign Targeting Central and '
'South Asian Telecommunications and Manufacturing Sectors',
'type': ['Malware Campaign',
'Advanced Persistent Threat (APT)',
'Remote Access Trojan (RAT)',
'DLL Side-Loading Attack',
'Cyber Espionage']}