PlugX Meeting Invitation via MSBuild and GDATA
Essential information
- Published
- 01/03/2026 05:26
- Modified
- 02/03/2026 11:42
- Tags
- 2026-03-01 api hashing dll side-loading g data antivirus korplug phishing plugx rat xor encryption
- Related entities
- 8 observables, 9 techniques (mitre), 2 malware, 4 others
Description
A recent PlugX campaign utilized phishing emails with a 'Meeting Invitation' lure to deploy malware through DLL side-loading. The infection chain begins with a zip file containing a malicious .csproj file and MSBuild executable. The .csproj file downloads three components: a legitimate G DATA Antivirus executable, a malicious Avk.dll (PlugX variant), and an encrypted AVKTray.dat file. The malware uses DLL side-loading, API hashing, and XOR encryption for obfuscation. It establishes persistence via the Run registry key and communicates with a command and control server. The campaign showcases PlugX's continued evolution while maintaining its core characteristics, highlighting its ongoing relevance in cyber-espionage operations.