PlugX is a remote access trojan (RAT) first identified in 2012 that targeted government institutions. It is similar to the Poison Ivy malware, allowing remote users to perform data theft or take control of the affected systems without permission or authorization. PlugX is distributed through email attachments in spearphishing campaigns, mainly targeting specific businesses and organizations, and exploits a vulnerability in either Adobe Acrobat Reader or Microsoft Word. The email attachments contain a legitimate file, a malicious .DLL loaded by the legitimate file, and a binary file that contains the malicious code loaded by the .DLL. PlugX contains backdoor modules to perform the following tasks:

  • XPlugDisk – used to copy, move, rename, execute and delete files.
  • XPlugKeyLogger – used to log keystrokes.
  • XPlugRegedit – used to enumerate, create, delete, and modify registry entries and values.
  • XPlugProcess – used to enumerate processes, gets process information, and terminates processes.
  • XPlugNethood – used to enumerate network resources and set TCP connections.
  • XPlugService – used to delete, enumerate, modify, and start services.
  • XPlugShell – used to perform remote shell on the affected system.

Users should never open suspicious emails and should always keep their systems and applications up-to-date to help protect against threats like the PlugX RAT.


  • November 2014: PlugX RAT is used to gather intelligence on Afghan and Russian Military. (Security Week)
  • May 2015: PlugX uses legitimate Samsung application for DLL side-loading. (Palo Alto Networks)
  • February 2017: APT targets Russia and Belarus with ZeroT and PlugX. (Proofpoint)
  • April 2017: Chinese APT group, TA459, is distributing spear-phishing emails with a malicious Word attachment to exploit CVE-2017-0199 vulnerability and deploy the ZeroT trojan that then downloads the PlugX RAT. (Proofpoint)
  • July 2017: PlugX version dubbed "Paranoid PlugX" istargeting video game firms via phishing emails attached with malicious Word documents exploiting a Microsoft Office vulnerability, CVE-2017-0199. The malware script deletes all files created during installation and initial execution, registry keys, and UserAssist key entries to cover its tracks. (Palo Alto Networks)

Technical Details

  • Trend Micro provides technical details on the PlugX RAT, available here.