{"description": "Enterprise techniques used by PlugX, ATT&CK software S0013 (v3.3)", "name": "PlugX (S0013)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[PlugX](https://attack.mitre.org/software/S0013) can be configured to use HTTP for command and control.(Citation: Eset PlugX Korplug Mustang Panda March 2022)(Citation: Dell TG-3390)(Citation: EclecticIQ Mustang Panda PlugX)(Citation: Proofpoint TA416 Europe March 2022) [PlugX](https://attack.mitre.org/software/S0013) has also used HTTPS for C2.(Citation: Google Threat Intelligence Group MUSTANG PANDA PLUGX August 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071.004", "comment": "[PlugX](https://attack.mitre.org/software/S0013) can be configured to use DNS for command and control.(Citation: Dell TG-3390)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[PlugX](https://attack.mitre.org/software/S0013) adds Run key entries in the Registry to establish persistence.(Citation: Eset PlugX Korplug Mustang Panda March 2022)(Citation: CIRCL PlugX March 2013)(Citation: DOJ Affidavit Search and Seizure PlugX December 2024)(Citation: EclecticIQ Mustang Panda PlugX)(Citation: PWC Cloud Hopper Technical Annex April 2017)(Citation: Sophos Mustang Panda PLUGX)(Citation: Lastline PlugX Analysis) [PlugX](https://attack.mitre.org/software/S0013) has established persistence via the registry keys `HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run` and `HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run`.(Citation: Eset PlugX Korplug Mustang Panda March 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[PlugX](https://attack.mitre.org/software/S0013) allows actors to spawn a reverse shell on a victim.(Citation: Eset PlugX Korplug Mustang Panda March 2022)(Citation: CIRCL PlugX March 2013)(Citation: Dell TG-3390)(Citation: EclecticIQ Mustang Panda PlugX)(Citation: Google Threat Intelligence Group MUSTANG PANDA PLUGX August 2025)(Citation: Sophos PlugX September 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1543", "showSubtechniques": true}, {"techniqueID": "T1543.003", "comment": "[PlugX](https://attack.mitre.org/software/S0013) can be added as a service to establish persistence. [PlugX](https://attack.mitre.org/software/S0013) also has a module to change service configurations as well as start, control, and delete services.(Citation: CIRCL PlugX March 2013)(Citation: Lastline PlugX Analysis)(Citation: PWC Cloud Hopper Technical Annex April 2017)(Citation: FireEye APT10 April 2017)(Citation: Proofpoint ZeroT Feb 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1074", "showSubtechniques": true}, {"techniqueID": "T1074.001", "comment": "[PlugX](https://attack.mitre.org/software/S0013) has collected and staged the victim\u2019s computer files for exfiltration.(Citation: DOJ Affidavit Search and Seizure PlugX December 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1622", "comment": "[PlugX](https://attack.mitre.org/software/S0013) has made calls to Windows API `CheckRemoteDebuggerPresent` and exits if it detects a debugger.(Citation: Sophos Mustang Panda PLUGX)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "[PlugX](https://attack.mitre.org/software/S0013) decompresses and decrypts itself using the Microsoft API call RtlDecompressBuffer.(Citation: CIRCL PlugX March 2013)(Citation: Trend Micro DRBControl February 2020)(Citation: Proofpoint TA416 Europe March 2022) [PlugX](https://attack.mitre.org/software/S0013) has also decrypted its payloads in memory.(Citation: Eset PlugX Korplug Mustang Panda March 2022)(Citation: Cisco Talos MUSTANG PANDA PLUGX PUBLOAD MAY 2022)(Citation: EclecticIQ Mustang Panda PlugX)(Citation: Sophos Mustang Panda PLUGX)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1686", "comment": "[PlugX](https://attack.mitre.org/software/S0013) has modified local firewall rules on victim machines to enable a random, high-number listening port for subsequent access and C2 activity.(Citation: Sygnia VelvetAnt 2024A)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[PlugX](https://attack.mitre.org/software/S0013) can use RC4 encryption in C2 communications.(Citation: Eset PlugX Korplug Mustang Panda March 2022)(Citation: Proofpoint TA416 Europe March 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1480", "showSubtechniques": true}, {"techniqueID": "T1480.002", "comment": "[PlugX](https://attack.mitre.org/software/S0013) has leveraged a mutex in its infection process.(Citation: Eset PlugX Korplug Mustang Panda March 2022)(Citation: Sophos Mustang Panda PLUGX)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "[PlugX](https://attack.mitre.org/software/S0013) has exfiltrated stolen data and files to its C2 server.(Citation: DOJ Affidavit Search and Seizure PlugX December 2024)(Citation: Sophos PlugX September 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[PlugX](https://attack.mitre.org/software/S0013) has a module to enumerate drives and find files recursively.(Citation: Eset PlugX Korplug Mustang Panda March 2022)(Citation: Cisco Talos MUSTANG PANDA PLUGX PUBLOAD MAY 2022)(Citation: CIRCL PlugX March 2013)(Citation: Proofpoint TA416 Europe March 2022) [PlugX](https://attack.mitre.org/software/S0013) has also checked the path from which it is running for specific parameters prior to execution. (Citation: Eset PlugX Korplug Mustang Panda March 2022)(Citation: DOJ Affidavit Search and Seizure PlugX December 2024)(Citation: Sophos Mustang Panda PLUGX)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1564", "showSubtechniques": true}, {"techniqueID": "T1564.001", "comment": "[PlugX](https://attack.mitre.org/software/S0013) can modify the characteristics of folders to hide them from the compromised user.(Citation: Proofpoint TA416 Europe March 2022) [PlugX](https://attack.mitre.org/software/S0013) has also modified file attributes to hidden and system.(Citation: Eset PlugX Korplug Mustang Panda March 2022)(Citation: Sophos Mustang Panda PLUGX)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1564.003", "comment": "[PlugX](https://attack.mitre.org/software/S0013) has the ability to execute a command on a hidden desktop.(Citation: Eset PlugX Korplug Mustang Panda March 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1574", "showSubtechniques": true}, {"techniqueID": "T1574.001", "comment": "[PlugX](https://attack.mitre.org/software/S0013) has the ability to use DLL search order hijacking for installation on targeted systems.(Citation: Proofpoint TA416 Europe March 2022)(Citation: Sophos PlugX September 2022)  [PlugX](https://attack.mitre.org/software/S0013) has also used DLL side-loading to evade anti-virus.(Citation: FireEye Clandestine Fox Part 2)(Citation: Dell TG-3390)(Citation: Stewart 2014)(Citation: PWC Cloud Hopper Technical Annex April 2017)(Citation: Palo Alto PlugX June 2017)(Citation: Trend Micro DRBControl February 2020)(Citation: Profero APT27 December 2020) [PlugX](https://attack.mitre.org/software/S0013) has also used a legitimately signed executable to side-load a malicious payload within a DLL file.(Citation: Eset PlugX Korplug Mustang Panda March 2022)(Citation: Cisco Talos MUSTANG PANDA PLUGX PUBLOAD MAY 2022)(Citation: EclecticIQ Mustang Panda PlugX)(Citation: Sophos PlugX September 2022)(Citation: Sophos Mustang Panda PLUGX)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[PlugX](https://attack.mitre.org/software/S0013) has the remove itself and other artifacts.(Citation: Eset PlugX Korplug Mustang Panda March 2022)(Citation: DOJ Affidavit Search and Seizure PlugX December 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070.009", "comment": "[PlugX](https://attack.mitre.org/software/S0013) has deleted registry keys that store data and maintained persistence.(Citation: Eset PlugX Korplug Mustang Panda March 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[PlugX](https://attack.mitre.org/software/S0013) has a module to download and execute files on the compromised machine.(Citation: CIRCL PlugX March 2013)(Citation: DOJ Affidavit Search and Seizure PlugX December 2024)(Citation: Google Threat Intelligence Group MUSTANG PANDA PLUGX August 2025)(Citation: Proofpoint TA416 Europe March 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.001", "comment": "[PlugX](https://attack.mitre.org/software/S0013) has a module for capturing keystrokes per process including window titles.(Citation: CIRCL PlugX March 2013)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1680", "comment": "[PlugX](https://attack.mitre.org/software/S0013) has collected a list of all mapped drives on the infected host.(Citation: Eset PlugX Korplug Mustang Panda March 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.004", "comment": "In one instance, [menuPass](https://attack.mitre.org/groups/G0045) added [PlugX](https://attack.mitre.org/software/S0013) as a service with a display name of \"Corel Writing Tools Utility.\"(Citation: FireEye APT10 April 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[PlugX](https://attack.mitre.org/software/S0013) has been disguised as legitimate Adobe and PotPlayer files.(Citation: Proofpoint TA416 Europe March 2022) [PlugX](https://attack.mitre.org/software/S0013) has also imitated legitimate software directories and file names through the creation and storage of a legitimate EXE and the malicious DLLs.(Citation: Eset PlugX Korplug Mustang Panda March 2022)(Citation: EclecticIQ Mustang Panda PlugX)(Citation: Sophos PlugX September 2022)(Citation: Sophos Mustang Panda PLUGX)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1112", "comment": "[PlugX](https://attack.mitre.org/software/S0013) has a module to create, delete, or modify Registry keys.(Citation: Eset PlugX Korplug Mustang Panda March 2022)(Citation: CIRCL PlugX March 2013)(Citation: DOJ Affidavit Search and Seizure PlugX December 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[PlugX](https://attack.mitre.org/software/S0013) can use the Windows API functions `GetProcAddress`, `LoadLibrary`, and `CreateProcess` to execute another process.(Citation: Eset PlugX Korplug Mustang Panda March 2022)(Citation: Proofpoint TA416 Europe March 2022)(Citation: Lastline PlugX Analysis)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1135", "comment": "[PlugX](https://attack.mitre.org/software/S0013) has a module to enumerate network shares.(Citation: Eset PlugX Korplug Mustang Panda March 2022)(Citation: CIRCL PlugX March 2013)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1095", "comment": "[PlugX](https://attack.mitre.org/software/S0013) can be configured to use raw TCP or UDP for command and control.(Citation: Eset PlugX Korplug Mustang Panda March 2022)(Citation: Dell TG-3390)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1571", "comment": "[PlugX](https://attack.mitre.org/software/S0013) has used random, high-number, non-standard ports to listen for subsequent actions and C2 activities.(Citation: Sygnia VelvetAnt 2024A)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "comment": "[PlugX](https://attack.mitre.org/software/S0013) can use API hashing and modify the names of strings to evade detection.(Citation: Trend Micro DRBControl February 2020)(Citation: Proofpoint TA416 Europe March 2022)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1027.001", "comment": "[PlugX](https://attack.mitre.org/software/S0013) has utilized junk code and opaque predicates in payloads to hinder analysis.(Citation: Eset PlugX Korplug Mustang Panda March 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.007", "comment": "[PlugX](https://attack.mitre.org/software/S0013) has leveraged obfuscated Windows API function calls that were concealed as unique names, or hashes of the Windows API.(Citation: Eset PlugX Korplug Mustang Panda March 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[PlugX](https://attack.mitre.org/software/S0013) has leveraged XOR encryption with the key of 123456789.(Citation: Eset PlugX Korplug Mustang Panda March 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1120", "comment": "[PlugX](https://attack.mitre.org/software/S0013) can identify removable media attached to compromised hosts.(Citation: DOJ Affidavit Search and Seizure PlugX December 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1057", "comment": "[PlugX](https://attack.mitre.org/software/S0013) has a module to list the processes running on a machine.(Citation: CIRCL PlugX March 2013)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1012", "comment": "[PlugX](https://attack.mitre.org/software/S0013) can enumerate and query for information contained within the Windows Registry.(Citation: Eset PlugX Korplug Mustang Panda March 2022)(Citation: CIRCL PlugX March 2013)(Citation: Lastline PlugX Analysis)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1620", "comment": "[PlugX](https://attack.mitre.org/software/S0013) has loaded its payload into memory.(Citation: Eset PlugX Korplug Mustang Panda March 2022)(Citation: EclecticIQ Mustang Panda PlugX)(Citation: Google Threat Intelligence Group MUSTANG PANDA PLUGX August 2025)(Citation: Sophos PlugX September 2022)(Citation: Sophos Mustang Panda PLUGX)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1091", "comment": "[PlugX](https://attack.mitre.org/software/S0013) has copied itself to infected removable drives for propagation to other victim devices.(Citation: DOJ Affidavit Search and Seizure PlugX December 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "[PlugX](https://attack.mitre.org/software/S0013) has created a scheduled task to execute additional malicious software, as well as maintain persistence.(Citation: Eset PlugX Korplug Mustang Panda March 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1113", "comment": "[PlugX](https://attack.mitre.org/software/S0013) allows the operator to capture screenshots.(Citation: CIRCL PlugX March 2013)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1082", "comment": "[PlugX](https://attack.mitre.org/software/S0013) has collected system information including OS version, processor information, RAM size, location, host name, IP, and screen size of the infected host.(Citation: Eset PlugX Korplug Mustang Panda March 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1614", "comment": "[PlugX](https://attack.mitre.org/software/S0013) has obtained the location of the victim device by leveraging `GetSystemDefaultLCID`.(Citation: Eset PlugX Korplug Mustang Panda March 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[PlugX](https://attack.mitre.org/software/S0013) has captured victim IP address details of the targeted machine.(Citation: Eset PlugX Korplug Mustang Panda March 2022)(Citation: DOJ Affidavit Search and Seizure PlugX December 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1049", "comment": "[PlugX](https://attack.mitre.org/software/S0013) has a module for enumerating TCP and UDP network connections and associated processes using the netstat command.(Citation: CIRCL PlugX March 2013)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[PlugX](https://attack.mitre.org/software/S0013) has the ability to gather the username from the victim\u2019s machine.(Citation: Eset PlugX Korplug Mustang Panda March 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1124", "comment": "[PlugX](https://attack.mitre.org/software/S0013) has identified system time through its GetSystemInfo command.(Citation: Eset PlugX Korplug Mustang Panda March 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1127", "showSubtechniques": true}, {"techniqueID": "T1127.001", "comment": "A version of [PlugX](https://attack.mitre.org/software/S0013) loads as shellcode within a .NET Framework project using msbuild.exe, presumably to bypass application control techniques.(Citation: Palo Alto PlugX June 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "[PlugX](https://attack.mitre.org/software/S0013) has leveraged an initial executable disguised as a legitimate document to trick the target into opening it.(Citation: Cisco Talos MUSTANG PANDA PLUGX PUBLOAD MAY 2022)(Citation: EclecticIQ Mustang Panda PlugX)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1497", "showSubtechniques": true}, {"techniqueID": "T1497.001", "comment": "[PlugX](https://attack.mitre.org/software/S0013) checks if VMware tools is running in the background by searching for any process named \"vmtoolsd\".(Citation: Unit42 PlugX June 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1102", "showSubtechniques": true}, {"techniqueID": "T1102.001", "comment": "[PlugX](https://attack.mitre.org/software/S0013) uses Pastebin to store C2 addresses.(Citation: Palo Alto PlugX June 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by PlugX", "color": "#66b1ff"}]}