PlugX and Bookworm Re-emerge in a New APT Campaign Targeting ASEAN Telecom Infrastructure

• 01/10/2025

In recent months, the cybersecurity community has observed a sophisticated and persistent APT campaign aimed at telecom infrastructure and several manufacturing sectors across Central Asia, South Asia, and the ASEAN region. This operation stands out due to the appearance of a new PlugX variant running alongside Bookworm, with multiple technical overlaps linked to China-based APT clusters — highlighting both coordination and technical investment from the threat actors.

1. Key Technical Highlights of the Campaign

• DLL Side-Loading: Attackers exploit legitimate executables to side-load malicious DLLs through Windows’ DLL search order.

• Payload Decryption Chain: Typically, the payload is stored encrypted or compressed and then decrypted in sequence: XOR → RC4 → RtlDecompressBuffer before execution in memory.

• Fileless Execution: The payload executes directly in memory, leaving minimal traces on disk and complicating static analysis.

• Dynamic Plugin Loading: Recent PlugX variants can dynamically load plugins (e.g., keyloggers), allowing attackers to expand capabilities depending on the target.

• Bookworm (associated with Mustang Panda): Uses a modular architecture, where the loader manages C2 communication and fetches functional modules (file transfer, command execution, intelligence collection, data exfiltration). Some modern variants embed shellcode as UUID strings, which are reconstructed into binary blobs and executed in memory.

2. Behavioral Indicators and IOCs

• DLL load logs from unusual directories tied to legitimate processes.

• API calls related to memory allocation and writing (VirtualAlloc, VirtualProtect, CreateThread).

• Use of compression/decompression APIs such as RtlDecompressBuffer.

• Presence of long UUID strings in configurations or registry keys.

• DNS/HTTP(S) patterns toward domains appearing legitimate but with suspicious registration history.

• Reuse of RC4 keys or XOR constants across multiple malware samples.

3. Attribution Challenges and Cluster Links

The overlapping techniques and targeting suggest two possibilities: clusters with different names may actually represent the same actor, or multiple groups are leveraging the same tools or malware suppliers. Researchers currently assess the attribution level as medium — meaning there are strong technical correlations, but more evidence is required for a definitive conclusion.

4. Attack Chain (Technical Flow)

A typical sequence includes: leveraging a legitimate executable → DLL side-loading → malicious DLL with decoding logic → XOR → RC4 → RtlDecompressBuffer → payload decompressed and executed in memory. The attackers may then allocate memory, inject shellcode, adjust memory permissions, or use reflective DLL loading for execution.

5. Detection & Response Recommendations (Endpoint + Network)

On Endpoints

• Audit applications vulnerable to side-loading; enforce SetDefaultDllDirectories and AddDllDirectory.

• Require absolute paths for internal libraries.

• Enable AppLocker or Windows Defender Application Control to block unsigned DLLs.

• Configure EDR solutions to log memory allocation/write APIs and suspicious process behavior.

On Networks

• Enhance DNS and HTTP(S) monitoring to detect C2 traffic patterns.

• Use sinkholing or firewall rules to block known malicious domains.

• Analyze Netflow/traffic to identify outbound C2 connections.

During Triage

• Isolate suspicious processes and collect memory dumps immediately.

• Extract loaded DLLs, registry keys, and configurations to recover downloaded modules.

Conclusion — Strategic Impact

This campaign highlights a targeted, technically advanced effort focused on telecom operators and critical infrastructure across ASEAN. SOC and IR teams must maintain long-term vigilance, update playbooks for memory-based attacks, standardize safe memory dump procedures, reinforce DLL management policies, and strengthen information-sharing networks to ensure early detection and containment.