#plugx — Public Fediverse posts

Donuts and Beagles: Fake Claude site spreads backdoor

A fraudulent website impersonating Anthropic's Claude AI platform has been distributing a previously undocumented backdoor called Beagle through malvertising campaigns. The attack begins when victims download a fictitious tool named Claude-Pro Relay from claude-pro[.]com, delivered as a 505 MB ZIP archive. The infection chain utilizes DLL sideloading, exploiting a signed G DATA antivirus updater to load malicious code. The technique mirrors PlugX delivery methods but deploys different payloads. Beagle supports eight commands including shell execution, file transfer, and directory listing, communicating with C2 servers using AES encryption. Related samples dating to February 2026 have been identified, with some variants delivering AdaptixC2 framework. Additional domains impersonated security vendors like Trellix, CrowdStrike, and SentinelOne. The infrastructure spans Cloudflare for distribution and Alibaba Cloud for command and control.

Pulse ID: 69fcc63f1dce161fc2f8380c
Pulse Link: https://otx.alienvault.com/pulse/69fcc63f1dce161fc2f8380c
Pulse Author: AlienVault
Created: 2026-05-07 17:05:03

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Cloud #CrowdStrike #CyberSecurity #Encryption #InfoSec #Malvertising #OTX #OpenThreatExchange #PlugX #SentinelOne #SideLoading #Trellix #ZIP #bot #AlienVault

Donuts and Beagles: Fake Claude site spreads backdoor

A fraudulent website impersonating Anthropic's Claude AI platform has been distributing a previously undocumented backdoor called Beagle through malvertising campaigns. The attack begins when victims download a fictitious tool named Claude-Pro Relay from claude-pro[.]com, delivered as a 505 MB ZIP archive. The infection chain utilizes DLL sideloading, exploiting a signed G DATA antivirus updater to load malicious code. The technique mirrors PlugX delivery methods but deploys different payloads. Beagle supports eight commands including shell execution, file transfer, and directory listing, communicating with C2 servers using AES encryption. Related samples dating to February 2026 have been identified, with some variants delivering AdaptixC2 framework. Additional domains impersonated security vendors like Trellix, CrowdStrike, and SentinelOne. The infrastructure spans Cloudflare for distribution and Alibaba Cloud for command and control.

Pulse ID: 69fcc63f1dce161fc2f8380c
Pulse Link: https://otx.alienvault.com/pulse/69fcc63f1dce161fc2f8380c
Pulse Author: AlienVault
Created: 2026-05-07 17:05:03

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Cloud #CrowdStrike #CyberSecurity #Encryption #InfoSec #Malvertising #OTX #OpenThreatExchange #PlugX #SentinelOne #SideLoading #Trellix #ZIP #bot #AlienVault

Donuts and Beagles: Fake Claude site spreads backdoor

A fraudulent website impersonating Anthropic's Claude AI platform has been distributing a previously undocumented backdoor called Beagle through malvertising campaigns. The attack begins when victims download a fictitious tool named Claude-Pro Relay from claude-pro[.]com, delivered as a 505 MB ZIP archive. The infection chain utilizes DLL sideloading, exploiting a signed G DATA antivirus updater to load malicious code. The technique mirrors PlugX delivery methods but deploys different payloads. Beagle supports eight commands including shell execution, file transfer, and directory listing, communicating with C2 servers using AES encryption. Related samples dating to February 2026 have been identified, with some variants delivering AdaptixC2 framework. Additional domains impersonated security vendors like Trellix, CrowdStrike, and SentinelOne. The infrastructure spans Cloudflare for distribution and Alibaba Cloud for command and control.

Pulse ID: 69fcc63f1dce161fc2f8380c
Pulse Link: https://otx.alienvault.com/pulse/69fcc63f1dce161fc2f8380c
Pulse Author: AlienVault
Created: 2026-05-07 17:05:03

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Cloud #CrowdStrike #CyberSecurity #Encryption #InfoSec #Malvertising #OTX #OpenThreatExchange #PlugX #SentinelOne #SideLoading #Trellix #ZIP #bot #AlienVault

Donuts and Beagles: Fake Claude site spreads backdoor

A fraudulent website impersonating Anthropic's Claude AI platform has been distributing a previously undocumented backdoor called Beagle through malvertising campaigns. The attack begins when victims download a fictitious tool named Claude-Pro Relay from claude-pro[.]com, delivered as a 505 MB ZIP archive. The infection chain utilizes DLL sideloading, exploiting a signed G DATA antivirus updater to load malicious code. The technique mirrors PlugX delivery methods but deploys different payloads. Beagle supports eight commands including shell execution, file transfer, and directory listing, communicating with C2 servers using AES encryption. Related samples dating to February 2026 have been identified, with some variants delivering AdaptixC2 framework. Additional domains impersonated security vendors like Trellix, CrowdStrike, and SentinelOne. The infrastructure spans Cloudflare for distribution and Alibaba Cloud for command and control.

Pulse ID: 69fcc63f1dce161fc2f8380c
Pulse Link: https://otx.alienvault.com/pulse/69fcc63f1dce161fc2f8380c
Pulse Author: AlienVault
Created: 2026-05-07 17:05:03

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Cloud #CrowdStrike #CyberSecurity #Encryption #InfoSec #Malvertising #OTX #OpenThreatExchange #PlugX #SentinelOne #SideLoading #Trellix #ZIP #bot #AlienVault

Donuts and Beagles: Fake Claude site spreads backdoor

A fraudulent website impersonating Anthropic's Claude AI platform has been distributing a previously undocumented backdoor called Beagle through malvertising campaigns. The attack begins when victims download a fictitious tool named Claude-Pro Relay from claude-pro[.]com, delivered as a 505 MB ZIP archive. The infection chain utilizes DLL sideloading, exploiting a signed G DATA antivirus updater to load malicious code. The technique mirrors PlugX delivery methods but deploys different payloads. Beagle supports eight commands including shell execution, file transfer, and directory listing, communicating with C2 servers using AES encryption. Related samples dating to February 2026 have been identified, with some variants delivering AdaptixC2 framework. Additional domains impersonated security vendors like Trellix, CrowdStrike, and SentinelOne. The infrastructure spans Cloudflare for distribution and Alibaba Cloud for command and control.

Pulse ID: 69fcc63f1dce161fc2f8380c
Pulse Link: https://otx.alienvault.com/pulse/69fcc63f1dce161fc2f8380c
Pulse Author: AlienVault
Created: 2026-05-07 17:05:03

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Cloud #CrowdStrike #CyberSecurity #Encryption #InfoSec #Malvertising #OTX #OpenThreatExchange #PlugX #SentinelOne #SideLoading #Trellix #ZIP #bot #AlienVault

Life is full of paradoxes. We spend countless time discussing threat actors using AI and in 2026 some are still relying on PlugX.

#plugx #cybersecurity #threatintel

Fake Claude AI installer mimicking Anthropic spreads PlugX RAT on Windows, using DLL sideloading to gain persistent remote access to infected systems.

Read: https://hackread.com/fake-claude-ai-installer-plugx-malware-windows-users/

#CyberSecurity #ClaudeAI #Windows #PlugX #Malware

Cuidado: Sitio web falso de Claude distribuye el malware PlugX RAT

Investigadores de seguridad han alertado sobre una campaña de phishing que utiliza un sitio web fraudulento de la IA «Claude» para infectar computadoras con el troyano de acceso remoto PlugX, permitiendo el control total del equipo (Fuente Malwarebytes).

La popularidad de la inteligencia artificial está siendo explotada nuevamente por cibercriminales. Se ha detectado un sitio web que imita a la perfección la interfaz de Claude (la IA de Anthropic) para engañar a los usuarios y lograr que descarguen un archivo ejecutable malicioso. En lugar de ofrecer herramientas de IA, el instalador despliega una variante del conocido troyano de acceso remoto (RAT) denominado PlugX. Una vez instalado, este malware permite a los atacantes robar credenciales, registrar las pulsaciones del teclado (keylogging), acceder a archivos privados y utilizar la cámara o el micrófono del dispositivo infectado sin el consentimiento del usuario.

El método de distribución suele basarse en anuncios engañosos en motores de búsqueda o publicaciones en redes sociales que prometen «versiones de escritorio premium» o «funciones gratuitas ilimitadas» de Claude. El malware utiliza técnicas de carga lateral de DLL (DLL side-loading) para evadir los antivirus convencionales, ocultándose dentro de procesos legítimos del sistema operativo. Esta táctica es común entre grupos de amenazas persistentes avanzadas (APT) y subraya la sofisticación de los ataques dirigidos a usuarios que buscan herramientas de productividad basadas en inteligencia artificial.

Expertos en ciberseguridad recomiendan a los usuarios acceder a Claude y otras plataformas de IA exclusivamente a través de sus dominios oficiales verificados. Es vital desconfiar de instaladores de escritorio que no provengan de tiendas oficiales como la Mac App Store o Microsoft Store, y mantener siempre activadas las soluciones de seguridad con protección en tiempo real. Este incidente es un recordatorio de que, en el auge de la IA, el sentido común y la verificación de las fuentes siguen siendo las defensas más efectivas contra el secuestro digital de datos.

I’d come running back to EU again: TA416 resumes European government espionage campaigns
#TA416 #PlugX #UNK_SteadySplit
https://www.proofpoint.com/us/blog/threat-insight/id-come-running-back-eu-again-ta416-resumes-european-government-espionage

China-linked hackers targeted #Qatar using fake war news to spread PlugX backdoors and launch cyber-espionage attacks on military and energy sectors.

https://hackread.com/china-hackers-qatar-backdoor-fake-war-news/

#CyberSecurity #China #PlugX #CyberAttack #Malware

#plugx targeting VN "evv.msi" -> famisu[.]com e0058681fabb8e49ec780fdd78ec01fd

Grupos Chinos explotan vulnerabilidades en Ivanti para desplegar malware MetaRAT https://blog.elhacker.net/2025/12/grupos-chinos-explotan-vulnerabilidades-ivanti-malware-metarat.html #vulnerabilidad #ciberataque #Malware #metarat #ivanti #china #plugx

Dwie groźne luki w Windows aktywnie wykorzystywane. Jedna to 8-letni zero-day bez łatki

Badacze bezpieczeństwa biją na alarm w sprawie dwóch poważnych luk w systemie Windows, które są obecnie aktywnie i na szeroką skalę wykorzystywane w atakach.

Jak donosi serwis ArsTechnica, jedna z luk to krytyczna podatność, którą Microsoft niedawno próbował nieudolnie załatać. Druga to zero-day, który był wykorzystywany przez grupy hakerskie powiązane z rządami od co najmniej… 2017 roku i do dziś nie ma na to stosownej poprawki!

Groźniejsza i bardziej niepokojąca jest podatność zero-day, śledzona obecnie jako CVE-2025-9491. To błąd w obsłudze formatu skrótów Windows (.lnk). Luka została publicznie ujawniona w marcu 2025 roku przez Trend Micro, które odkryło, że była ona aktywnie wykorzystywana przez co najmniej 11 różnych grup hakerskich (APT) od 2017 roku do instalowania trojanów i oprogramowania szpiegującego. Mimo że od odkrycia minęło siedem miesięcy, Microsoft wciąż nie wydał na nią oficjalnej łaty bezpieczeństwa.

W ostatnich dniach firma Arctic Wolf zgłosiła nową, zmasowaną kampanię wykorzystującą właśnie tę lukę. Atakujący, prawdopodobnie powiązani z Chinami, używają jej do infekowania celów w Europie popularnym trojanem zdalnego dostępu (RAT) o nazwie PlugX. Z powodu braku łatki, jedyną skuteczną metodą obrony jest ręczne blokowanie lub ograniczanie przez administratorów użycia plików .lnk z niezaufanych źródeł.

Druga aktywnie wykorzystywana podatność to CVE-2025-59287, krytyczna (9.8/10) luka w usłudze Windows Server Update Services (WSUS), czyli narzędziu, którego administratorzy używają do zarządzania aktualizacjami w firmach. Błąd ten umożliwia zdalne wykonanie kodu (RCE) i jest potencjalnie zdolny do samodzielnego rozprzestrzeniania się w sieci.

Problem w tym, że Microsoft próbował załatać tę dziurę podczas październikowego „Patch Tuesday”, ale zrobił to nieskutecznie. Publicznie dostępny kod (PoC) szybko udowodnił, że poprawka jest niekompletna. Hakerzy natychmiast to wykorzystali. Firmy bezpieczeństwa, jak Huntress i Sophos, potwierdziły, że obserwują masowe ataki na serwery WSUS od 23-24 października. Microsoft był zmuszony do wydania drugiej, awaryjnej łatki poza standardowym harmonogramem, aby ostatecznie zamknąć dziurę.

Administratorzy systemów Windows powinni natychmiast zweryfikować, czy ich serwery WSUS mają zainstalowaną drugą, poprawną aktualizację. W przypadku luki zero-day w plikach .lnk, zarówno administratorzy, jak i zwykli użytkownicy, muszą zachować szczególną ostrożność i czekać na ruch ze strony Microsoftu, który do tej pory nie podał daty wydania poprawki.

Koniec z technicznym bełkotem. Aktualizacje Windows 11 będą bardziej zrozumiałe

#0Day #ArsTechnica #CVE202559287 #CVE20259491 #cyberbezpieczeństwo #lukaWZabezpieczeniach #Microsoft #news #PlugX #TrendMicro #windows #WSUS #zeroDay

UNC6384 Attack Detection: China-Linked Group Targets Diplomats and Hijacks Web Traffic Spreading a PlugX Variant – Source: socprime.com https://ciso2ciso.com/unc6384-attack-detection-china-linked-group-targets-diplomats-and-hijacks-web-traffic-spreading-a-plugx-variant-source-socprime-com/ #rssfeedpostgeneratorecho #CyberSecurityNews #CyberEspionage #Latestthreats #socprimecom #socprime #PlugX #Blog #APT

China-Linked Hackers Hijack Web Traffic to Deliver Backdoor https://www.securityweek.com/china-linked-hackers-hijack-web-traffic-to-deliver-backdoor/ #Malware&Threats #UNC6384 #China #PlugX

China-Linked Hackers Hijack Web Traffic to Deliver Backdoor https://www.securityweek.com/china-linked-hackers-hijack-web-traffic-to-deliver-backdoor/ #Malware&Threats #UNC6384 #China #PlugX

Google’s report on #UNC6384 lists this certificate as being used in C2 comms by Sogu (#PlugX variant):
eca96bd74fb6b22848751e254b6dc9b8e2721f96

Here’s an @anyrun_app execution, of AdobePlugins.​exe on May 19, which runs CANONSTAGER as well as SOGU.​SEC:
https://app.any.run/tasks/ce2745eb-edac-4e62-b5a9-5d9515b88bc4

It connects to the C2 server on 166.88.2[.]90, which actually provides a different certificate.
🔥 50f990235d7492431f57953cec14a478fb662c8d
🔥 SAN: *.crossfitolathe.​com

Detect CVE-2025-31324 Exploitation by Chinese APT Groups Targeting Critical Infrastructure – Source: socprime.com https://ciso2ciso.com/detect-cve-2025-31324-exploitation-by-chinese-apt-groups-targeting-critical-infrastructure-source-socprime-com/ #rssfeedpostgeneratorecho #CyberSecurityNews #CVE-2025-31324 #Latestthreats #socprimecom #socprime #zeroday #PlugX #Blog #CVE #rce

Chinese APT Tools Found in Ransomware Schemes, Blurring Attribution Lines – Source: www.securityweek.com https://ciso2ciso.com/chinese-apt-tools-found-in-ransomware-schemes-blurring-attribution-lines-source-www-securityweek-com/ #rssfeedpostgeneratorecho #CyberSecurityNews #Malware&Threats #securityweekcom #securityweek #NationState #Cybercrime #ransomware #TrendMicro #Shadowpad #ChinaAPT #symantec #APT41 #PlugX

Chinese APT Tools Found in Ransomware Schemes, Blurring Attribution Lines https://www.securityweek.com/chinese-apt-tools-found-in-ransomware-schemes-blurring-attribution-lines/ #Malware&Threats #NationState #Cybercrime #ransomware #TrendMicro #Shadowpad #ChinaAPT #Symantec #APT41 #PlugX

Mehrere Staaten desinfizieren Botnetz, Deutschland nicht | Security https://www.heise.de/news/Botnetz-Plug-X-Reinemachen-geht-nicht-10252309.html #CyberCrime #PlugX #Malware @bsi #BKA #Bundeskriminalamt #Botnet

A week in security (January 13 – January 19) https://www.malwarebytes.com/blog/news/2025/01/a-week-in-security-january-13-january-19 #GoogleAds #SocGolish #iMessage #QRcode #PlugX #News

https://www.theverge.com/2025/1/14/24343495/fbi-computer-hack-uninstall-plugx-malware #cybersecurity #FBI #FrenchLawEnforcement #China #WillTyphoon #malware #PlugX

FBI Uses Malware’s Own ‘Self-Delete’ Trick to Erase Chinese PlugX From US Computers – Source: www.securityweek.com https://ciso2ciso.com/fbi-uses-malwares-own-self-delete-trick-to-erase-chinese-plugx-from-us-computers-source-www-securityweek-com/ #rssfeedpostgeneratorecho #CyberSecurityNews #JusticeDepartment #Malware&Threats #securityweekcom #MustangPanda #securityweek #Government #China #PlugX #fbi

PlugX malware deleted from thousands of systems by FBI https://www.malwarebytes.com/blog/news/2025/01/plugx-malware-deleted-from-thousands-of-systems-by-fbi #sinkhole #Threats #PlugX #News #fbi #rat

PlugX Malware Removed from Thousands of Computers in Major Global Operation - https://www.redpacketsecurity.com/chinese-plugx-malware-deleted-in-global-law-enforcement-operation/

#threatintel #PlugX #Mustang_Panda #cyber_espionage

The #FBI has mass-removed the #PlugX #malware from infected US computers. The infections were attributed to #MustangPanda (aka #TwillTyphoon).

Remember this is just one botnet of #PlugX it's still used in the wild by many other threat actor groups.

For you #DFIR folks, ensure you know how to go #ThreatHunting for DLL-Side Loading to find #PlugX in your network.

https://www.bleepingcomputer.com/news/security/fbi-wipes-chinese-plugx-malware-from-over-4-000-us-computers/
#IncidentResponse

FBI Uses Malware’s Own ‘Self-Delete’ Trick to Erase Chinese PlugX From US Computers https://www.securityweek.com/fbi-uses-malwares-own-self-delete-trick-to-erase-chinese-plugx-from-us-computers/ #JusticeDepartment #Malware&Threats #MustangPanda #Government #China #PlugX #FBI

FBI Uses Malware’s Own ‘Self-Delete’ Trick to Erase Chinese PlugX From US Computers https://www.securityweek.com/fbi-uses-malwares-own-self-delete-trick-to-erase-chinese-plugx-from-us-computers/ #JusticeDepartment #Malware&Threats #MustangPanda #Government #China #PlugX #FBI

Justice Department and FBI Conduct International Operation to Delete Malware Used by China-Backed Hackers
#MustangPanda #PlugX
https://www.justice.gov/opa/pr/justice-department-and-fbi-conduct-international-operation-delete-malware-used-china-backed

Global Cybercrime Syndicate Busted in Singapore in Major Police Operation https://thecyberexpress.com/singapore-busts-global-cybercrime-syndicate/ #CybleResearchandIntelligenceLabs #GlobalCybercrimeSyndicate #TheCyberExpressNews #ThreatIntelligence #CyberEssentials #TheCyberExpress #FirewallDaily #ThreatActors #CyberNews #Espionage #PlugXRAT #APT31 #APT31 #cyble #PlugX #CRIL #RAT

This is a destructive OPSEC failure.
PoC code is trivial to find along with a simple Censys query to uncover vulnerable hosts. The code itself supports a TXT file of URLs so....spray and pray method to find targets. Certain campaigns used #XMRig, GoThief, and backdoors like #Gh0stRAT and #PlugX.

It should go without saying to not make your file servers open to the public but some didn't get the memo.
#HFS #CVE202423692 #ThreatIntel

https://asec.ahnlab.com/en/67650/

Chinese Hackers Compromised Large Organization’s F5 BIG-IP Systems for 3 Years https://thecyberexpress.com/chinese-hackers-f5-big-ip-systems-velvet-ant/ #TheCyberExpressNews #CybersecurityNews #VelvetAntCampaign #TheCyberExpress #FirewallDaily #VelvetAnt #Evasive #F5BIGIP #Sygnia #China #PlugX #F5

Our latest report on a CN #APT targeting tens of governments entities worldwide has been published 🥳 After monitoring it for a long time we realized it is likely related to the recent I-Soon company leaks. It discusses their TTPs and provides lots of IOCs https://trendmicro.com/en_us/research/24/c/earth-krahang.html
Targets are spread among 5 continents, although some countries are targeted more heavily: one country had 11 of its government entities compromised. Previous victims are used to compromise new ones by abusing their infrastructure to send spear-phishing emails or host malware.
Their favorite malware toolkit are Reshell, a basic .NET backdoor, and Xdealer, also named Dinodas RAT, two custom malwares. They also use the infamous #CobaltStrike, #PlugX and #Shadowpad. Many of their offensive and post-exploitation tools are retrieved from public sources.