Researchers at Cisco Talos have uncovered a long-running espionage campaign active since 2022, targeting the telecommunications and manufacturing sectors across Central and South Asia. The campaign revolves around a new variant of the PlugX backdoor, which shows extensive overlaps with both the RainyDay and Turian backdoors — malware families historically attributed to Chinese-speaking APT groups.
According to the report, “Cisco Talos discovered a new campaign active since 2022, targeting the telecommunications and manufacturing sectors in Central and South Asian countries, delivering a new variant of PlugX.”
The newly discovered PlugX variant isn’t just another fork of the notorious RAT — it borrows heavily from other espionage toolkits. Talos notes that, “the new variant’s features overlap with both the RainyDay and Turian backdoors, including abuse of the same legitimate applications for DLL sideloading, the XOR-RC4-RtlDecompressBuffer algorithm used to encrypt/decrypt payloads and the RC4 keys used.”
These technical commonalities suggest either a shared vendor supplying multiple threat groups or the possibility that Naikon and BackdoorDiplomacy are, in fact, the same entity.
The campaign’s unique PlugX configuration format provided key attribution clues. Unlike standard PlugX builds, this variant mirrors the RainyDay configuration structure, leading Talos to assess “with medium confidence that this variant of PlugX can be attributed to Naikon.”
Naikon, a Chinese-speaking espionage group active since at least 2010, has a long history of targeting government, military, and telecom operators across Asia. This finding places the PlugX variant squarely within Naikon’s operational toolkit.
Perhaps the most intriguing discovery is the blurred line between Naikon and BackdoorDiplomacy, another APT group known for deploying the Turian backdoor.
Talos researchers explain: “Our analysis of the victimology and technical malware implementation has uncovered evidence that indicates a potential connection between the two threat actors and suggests that they are the same group or that both are sourcing their tools from the same vendor.”
Both groups continue to prioritize telecom targets in South and Central Asia, with campaigns sometimes hitting adjacent countries — a pattern consistent with long-term, regionally focused espionage.
- “PlugX” Malware Deleted from Thousands of Computers in Global Operation
- PlugX malware: The Enigma of Cyber Espionage Unveiled
- France Leads International Effort to Eradicate PlugX Trojan from 3,000 Systems
- Global Cyber Collaboration Takes Down PlugX Worm
- CL-STA-0048: Chinese-Linked APT Targets Telecoms in South Asia
