Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
DHS Confirms Breach of HSIN Information Sharing Network
July 2, 2026
ChatGPT Flaw Exposes User Files, Poses System Access Risk
July 2, 2026
Critical Oracle E-Business Suite CVE-2024-21094 exploited, exposing 900+ instances
July 2, 2026
Home/Threats/PlugX USB Worm Spreads Globally via DLL Sideloading
Threats

PlugX USB Worm Spreads Globally via DLL Sideloading

Key Takeaways A new variant of the PlugX worm is rapidly spreading globally, leveraging USB drives and DLL sideloading for stealthy propagation. The malware has been detected across five continents,...

David kimber
David kimber
April 14, 2026 3 Min Read
96 0

Key Takeaways

  • A new variant of the PlugX worm is rapidly spreading globally, leveraging USB drives and DLL sideloading for stealthy propagation.
  • The malware has been detected across five continents, indicating a wide geographical reach since its initial observation in August 2022.
  • This variant employs a legitimate AvastSvc.exe executable to sideload a malicious DLL, executing the PlugX remote access Trojan (RAT) while appearing as an empty USB drive.
  • Researchers link the campaign to PKPLUG, also known as Mustang Panda, a China-affiliated advanced persistent threat (APT) group.

PlugX USB Worm Exploits DLL Sideloading for Global Infiltration

A recently identified PlugX worm variant is actively exploiting USB drives to achieve widespread global propagation, silently breaching organizational perimeters across continents. This sophisticated malware has been observed spanning at least ten time zones, indicating a significant and rapid distribution.

Table Of Content

  • Key Takeaways
  • PlugX USB Worm Exploits DLL Sideloading for Global Infiltration
  • Advanced Tactics and Link to Notorious APT
  • DLL Sideloading and USB-Based Evasion
  • What You Should Do

The worm first appeared in Papua New Guinea in August 2022. By January 2023, it resurfaced in both Papua New Guinea and Ghana, locations separated by approximately 10,000 miles. Subsequent infections were confirmed in Mongolia, Zimbabwe, and Nigeria, establishing this as one of the most geographically expansive malware outbreaks in recent history.

Advanced Tactics and Link to Notorious APT

PlugX, a well-established remote access Trojan (RAT) of Chinese origin, has been a staple in threat actor arsenals for years. However, this particular variant distinguishes itself through a novel payload and its connection to a command-and-control (C2) server not previously strongly associated with the PlugX family.

The worm’s primary evasion technique is DLL sideloading, a method where a legitimate application is manipulated into loading a malicious library instead of its intended one. This allows the worm to execute its code covertly, bypassing immediate detection.

Sophos X-Ops researchers, led by analyst Gabor Szappanos, uncovered this new variant following a CryptoGuard alert, likely triggered by an attempted data exfiltration. The infection package comprises a legitimate AvastSvc.exe executable, vulnerable to DLL sideloading; a malicious DLL named wsc.dll; and an encrypted payload file. These components collaboratively deploy the PlugX backdoor onto compromised systems.

The C2 activity was traced to the IP address 45.142.166[.]112. This IP was noted in a 2019 Unit 42 report as loosely connected to PlugX but lacked a direct link to a specific threat actor at the time. Sophos researchers now assert that the observed techniques align with the known operational patterns of PKPLUG, also known as Mustang Panda, a China-linked advanced persistent threat (APT) group. This finding significantly strengthens the connection between the IP address and the threat actor behind the current campaign.

DLL Sideloading and USB-Based Evasion

The infection chain of this PlugX variant is meticulously designed for stealth. When the worm copies itself to a USB drive, it utilizes specific mutex strings—USB_NOTIFY_COP and USB_NOTIFY_INF—to manage its operations. Post-copy, the USB drive appears completely empty within standard Windows Explorer views. Victims instead see a shortcut file disguised as another removable disk, complete with an identical drive icon.

Clicking this deceptive shortcut executes the CEFHelper executable, which is in fact the renamed AvastSvc.exe file. This renaming to mimic a legitimate Adobe process is a deliberate tactic to avoid suspicion. All other malicious files and directories are assigned hidden and system attributes, rendering them invisible by default in typical file listings.

The worm stores all its components within a directory named RECYCLER.BIN and drops a desktop.ini file that configures Windows to treat this folder as an actual Recycle Bin. This allows legitimate deleted files from the user’s hard drive to appear within, further obscuring the worm’s presence. Inside RECYCLER.BIN, the malware targets common document types, including .doc, .docx, .xls, .xlsx, .ppt, .pptx, and .pdf files, encrypts them, and saves them with base64-encoded filenames in preparation for exfiltration.

What You Should Do

  • Organizations must treat USB drive connections as a significant security risk, especially in environments handling sensitive data.
  • Disable AutoRun and AutoPlay functionalities for all removable media as a foundational security measure.
  • Configure systems to display hidden and system files by default, which can help in identifying suspicious directories like RECYCLER.BIN.
  • Implement robust endpoint protection capable of detecting and preventing DLL sideloading attempts.
  • Continuously monitor outbound C2 traffic for anomalous connections to mitigate potential data exfiltration.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

MalwareThreat

Share Article

David kimber

David kimber

David is a penetration tester turned security journalist with expertise in mobile security, IoT vulnerabilities, and exploit development. As an OSCP-certified security professional, David brings hands-on technical experience to his reporting on vulnerabilities and security research. His articles often feature detailed technical analysis of exploits and provide actionable defense recommendations. David maintains an active presence in the security research community and has contributed to multiple open-source security tools.

Previous Post

CredBot Botnet Exposed: Full Worker Access and Root Passwords Left Unprotected

Next Post

Mirax Android RAT Converts Infected Phones into Residential Proxy Nodes

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Opera’s New Paste Protect Blocks Clipboard Attacks, Including ClickFix
July 2, 2026
JADEPUFFER Ransomware Targets Cloud API Keys with Python Payloads
July 2, 2026
ValleyRAT Malware Uses Malicious VLC DLL to Attack Systems
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
CyberSecurity News

Top 10 High-Risk Vulnerabilities Of 2025 that Exploited in the Wild

January 1, 2026
Jennifer sherman
By Jennifer sherman
Threats

ErrTraffic Cybercrime Tool Automates ClickFix Attacks

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us