EducationGuidesThreat Hunting

PlugX Remote Access Trojan

The notorious PlugX remote access trojan has been identified adopting a disguise as an open-source Windows debugger tool named x64dbg. This tactic aims to evade security measures and gain unauthorized control over targeted systems. PlugX, also known as Korplug, is a modular implant recognized for its diverse capabilities, including data exfiltration and enabling malicious activities on compromised machines.

Masquerading as x64dbg Debugger

According to a recent report by Trend Micro researchers, the malicious file disguises itself as a legitimate open-source Windows debugger tool called x64dbg. Typically used to examine code, crash dumps, and CPU registers, x64dbg’s credibility can deceive security tools, allowing threat actors to remain undetected, establish persistence, elevate privileges, and bypass file execution restrictions.

The Evolution and Usage of PlugX

Although PlugX was initially documented in 2012, early malware samples trace back to as early as February 2008. Over the years, the threat has been associated with both Chinese-affiliated threat actors and cybercrime groups.

PlugX RAT on
PlugX RAT on

PlugX has gained notoriety for its post-exploitation capabilities, enabling malicious actors to conduct various activities, including data exfiltration and leveraging compromised systems for nefarious purposes.

DLL Side-Loading Technique Exploited

PlugX leverages a technique called DLL side-loading to execute its malicious activities. In this case, it utilizes the DLL search order mechanism in Windows to load a malicious DLL from a digitally signed software application—specifically, the x64dbg debugging tool (x32dbg.exe). By exploiting legitimate applications and their valid digital signatures, the trojan evades detection by certain security tools, ensuring persistence and bypassing execution restrictions.

Propagation through USB Devices

Palo Alto Networks Unit 42 recently discovered a new variant of PlugX that employs a propagation technique involving removable USB devices. The malware hides its malicious files on USB drives, facilitating the spread of the infection to other Windows hosts. This method enables the trojan to expand its reach and compromise additional systems.

Reza Rafati

Reza Rafati, based in the Netherlands, is the founder of An industry professional providing insightful commentary on infosec, cybercrime, cyberwar, and threat intelligence, Reza dedicates his work to bolster digital defenses and promote cyber awareness.