PlugX: A Talisman to Behold

Talisman is a PlugX variant that loads a modified DLL via a signed benign binary to decrypt and execute a backdoored payload with plug-in capabilities. The campaign is attributed with medium confidence to the Chinese state-backed RedFoxtrot group, targeting South Asia’s telecom and defense sectors in line with Belt and Road interests.
#PlugX #Talisman #RedFoxtrot #NomadPanda #BeltAndRoadInitiative

Keypoints

The Talisman variant uses a three-file execution chain that sideloads a modified DLL loaded by a signed, benign executable to decrypt the main PlugX payload.
The decryption routine uses a unique shellcode-based process with altered constants and five sleep calls, followed by decompression to load the in-memory PE module.
The configuration is decrypted from SNAC.LOG and contains persistence, target process injection, and C2 settings; the signature and config structure differ from prior samples.
Obfuscation includes dynamic Windows API resolving via CRC32 hashing and encrypted strings (mostly stack-based) with both ASCII and wide strings in use.
PlugX execution flow includes privilege token adjustments (SeDebugPrivilege, SeTcbPrivilege) and multiple persistence options (scheduled tasks, services, or registry keys).
Embedded plug-ins (Disk, Nethood, Netstat, etc.) and a multi-stage config with campaign IDs (e.g., TEST, RT, aop-1) indicate modular, configurable operations and possible source-code access.
Infrastructure overlaps with RedFoxtrot/Nomad Panda, with C2 domains and dynamic DNS hosting; global mutexes and PCShare associations link this variant to broader Chinese-speaking threat activity.
The victims in South Asia align with geopolitical interests such as Belt and Road, suggesting strategic targeting alongside other Chinese state-backed campaigns.

MITRE Techniques

[T1574] Hijack Execution Flow – The malware loads a modified DLL via a signed benign binary. “The DLL is loaded by the benign executable, as it normally would.”
[T1140] Deobfuscate/Decode Files or Information – The API hashing and encrypted stack strings are obfuscation types. “The decrypted Talisman payload is decompressed before it is used.”
[T1059] Command and Scripting Interpreter – A reverse shell can be made by PlugX. “A reverse shell can be made by PlugX.”
[T1036] Masquerading – The registered task/service pretends to be benign by name. “The runkey which is made when persisting via the registry.”
[T1106] Modify Registry – The runkey which is made when persisting via the registry. “The runkey which is made when persisting via the registry.”
[T1113] Screen Capture – Can capture the screen of the victim. “Can capture the screen of the victim.”
[T1049] System Network Connections Discovery – Possible via the embedded “netstat” module. “Possible via the embedded ‘netstat’ module.”
[T1095] Non-Application Layer Protocol – PlugX can work directly with TCP/UDP packets. “PlugX can work directly with TCP/UDP packets.”
[T1012] Query Registry – Queries the registry to check for values. “Queries the registry to check for values.”
[T1057] Process Discovery – Iterates over all processes. “Iterates over all processes.”

Indicators of Compromise

[Domain] C2/infrastructure domains – freewula.strangled.net, dhsg123.jkub.com, and 2 more domains
[IP] Command-and-control IPs – 158.247.204.191, 209.97.166.143
[File hash] SHA-256 of a payload – 6dc98a3c771f9f20d099e2d64995564dd083be9ac6ed9586a6e57c20ebd4176c
[File hash] MD5 of a loader – 60cb70545fbe3c96a0f82eeb54940553
[File name] SNAC.LOG – encrypted and decompressed payload file
[Mutex] GlobalReStart0 – mutex used by the sample
[PDB] c:bld_areaSESAgent70snac_buildbin.iraWGXMAN.pdb – debugging artifact
[Domain] Additional domains – szuunet.strangled.net, oprblemoyo.kozow.com, asd.powergame.0077.x24hr.com
[Domain/IP] Broad set of domains/IPs in Appendix A – 143.110.242.139, 158.247.204.191, 209.97.166.143
[Domain] dhsg123.jkub.com / final.staticd.dynamic-dns.net – observed C2 domains