Despite its creators abandoning it months ago, PlugX malware continues to infect millions of devices worldwide, according to warnings from cybersecurity experts at Sekoia.
The analysts managed to obtain the IP address associated with the malware’s command & control (C2) server and monitored connection requests over a six-month period. They found that infected endpoints were attempting 90,000 connection requests every day, totaling 2.5 million connections. These devices were spread across 170 countries, with just 15 countries accounting for over 80% of total infections. The top eight countries included Nigeria, India, China, Iran, Indonesia, the UK, Iraq, and the United States.
While the numbers seem alarming, the researchers cautioned that the figures might not be entirely accurate. The lack of unique identifiers in the malware’s C2 complicates tracking, as multiple compromised workstations can appear to exit through the same IP address. Additionally, devices using dynamic IP systems may be perceived as multiple endpoints, and connections through VPN services can distort country-related statistics.
PlugX was initially observed in 2008 in cyber-espionage campaigns linked to Chinese state-sponsored threat actors, targeting government, defense, and technology organizations primarily in Asia. The malware was capable of executing commands, downloading and uploading files, keylogging, and accessing system information. Over time, it evolved to spread autonomously via USB drives, making containment challenging. As the source code leaked in 2015, PlugX became more widespread, adopted by various threat actors, including state-sponsored and financially-motivated groups, prompting its original developers to abandon it.
