Cybersecurity researchers have uncovered new cyber-espionage campaigns conducted by PlushDaemon, a threat actor aligned with Chinese state interests. The group, also identified as RedGolf, has been observed targeting government organizations located in Southeast Asia with a previously undocumented malware backdoor.

The findings, detailed by Palo Alto Networks’ Unit 42 threat intelligence team, highlight the group’s ongoing efforts to infiltrate sensitive networks for intelligence gathering purposes. The campaigns represent a continuation of PlushDaemon’s activities, demonstrating the use of updated tools to achieve their objectives.

PlushImp Malware and Infection Vector

The newly discovered malware is a C++ backdoor named PlushImp. Its delivery mechanism relies on spear-phishing emails that contain malicious LNK files. These files are designed to initiate a DLL side-loading technique, a common method used to execute malicious code by exploiting how legitimate applications load Dynamic-Link Libraries (DLLs).

In this campaign, the loader is disguised as a legitimate executable, such as a component of Fortinet’s security products. Once executed, PlushImp establishes persistence and communicates with a command-and-control (C2) server over HTTP. The backdoor’s capabilities include executing commands, manipulating files (listing, uploading, downloading, and deleting), and terminating its own processes.

Campaign Attribution and Tactics

Analysis of the threat actor’s tactics, techniques, and procedures (TTPs) shows a significant overlap with another known China-aligned group, RedFoxtrot. This connection reinforces the attribution of PlushDaemon’s activities to Chinese state-sponsored operations.

The primary goal of these campaigns is cyber-espionage. By deploying the PlushImp backdoor within government networks, the operators gain long-term access to collect and exfiltrate sensitive information, aligning with the strategic intelligence interests of the People’s Republic of China.

Source: https://www.infosecurity-magazine.com/news/plushdaemon-new-malware-china-spy/