• An unknown threat cluster has been targeting at least between June and October 2024 European organizations, notably in the healthcare sector.
• Tracked as Green Nailao by Orange Cyberdefense CERT, the campaign relied on DLL search-order hijacking to deploy ShadowPad and PlugX – two implants often associated with China-nexus targeted intrusions.
• The ShadowPad variant our reverse-engineering team analyzed is highly obfuscated and uses Windows services and registry keys to persist on the system in the event of a reboot.
• In several Incident Response engagements, we observed the consecutive deployment of a previously undocumented ransomware payload.
• The campaign was enabled by the exploitation of CVE-2024-24919 (link for our World Watch and Vulnerability Intelligence customers) on vulnerable Check Point Security Gateways.
  IoCs and Yara rules can be found on our dedicated GitHub page here.

Learn about our process for collecting telemetry data from PlugX worm-infected workstations, as well as how to disinfect them.
#2024 #EN #PlugX #Sinkhole #USB #botnet #sekoia #worm

PlugX remains an active threat. A newly discovered variant infects USB devices and a similar variant makes copies of PDF and Microsoft Word files.

APT group Mustang Panda now appears to have Europe and Asia Pacific targets in its sights. The BlackBerry Research and Intelligence team recently unearthed evidence that the group may be using global interest in the Russian-Ukraine war to deliver PlugX malware via phishing lure to unsuspecting users.