{
  "name": "PlugX Meeting Invitation via MSBuild and GDATA",
  "slug": "plugx-meeting-invitation-via-msbuild-and-gdata",
  "description": "A recent PlugX campaign utilized phishing emails with a 'Meeting Invitation' lure to deploy malware through DLL side-loading. The infection chain begins with a zip file containing a malicious .csproj file and MSBuild executable. The .csproj file downloads three components: a legitimate G DATA Antivirus executable, a malicious Avk.dll (PlugX variant), and an encrypted AVKTray.dat file. The malware uses DLL side-loading, API hashing, and XOR encryption for obfuscation. It establishes persistence via the Run registry key and communicates with a command and control server. The campaign showcases PlugX's continued evolution while maintaining its core characteristics, highlighting its ongoing relevance in cyber-espionage operations.",
  "published": "2026-03-01T04:26:46+00:00",
  "created_at": "2026-03-01T04:26:46+00:00",
  "modified_at": "2026-03-02T10:42:29+00:00",
  "created_at_opencti": "2026-03-01T04:26:46+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2026-03-01",
    "api hashing",
    "dll side-loading",
    "g data antivirus",
    "korplug",
    "phishing",
    "plugx",
    "rat",
    "xor encryption"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "5f9af68db10b029453264cfc9b8eee4265549a2855bb79668ccfc571fb11f5fc"
      },
      {
        "id": "",
        "name": "de8ddc2451fb1305d76ab20661725d11c77625aeeaa1447faf3fbf56706c87f1"
      },
      {
        "id": "",
        "name": "e7ed0cd4115f3ff35c38d36cc50c6a13eba2d845554439a36108789cd1e05b17"
      },
      {
        "id": "",
        "name": "d293ded5a63679b81556d2c622c78be6253f500b6751d4eeb271e6500a23b21e"
      },
      {
        "id": "",
        "name": "8421e7995778faf1f2a902fb2c51d85ae39481f443b7b3186068d5c33c472d99"
      },
      {
        "id": "",
        "name": "29cd44aa2a51a200d82cca578d97dc13241bc906ea6a33b132c6ca567dc8f3ad"
      },
      {
        "id": "",
        "name": "46314092c8d00ab93cbbdc824b9fc39dec9303169163b9625bae3b1717d70ebc"
      },
      {
        "id": "",
        "name": "6df8649bf4e233ee86a896ee8e5a3b3179c168ef927ac9283b945186f8629ee7"
      }
    ],
    "malware": [
      {
        "id": "legacy:malware:3460f9c45de58af2",
        "name": "PlugX",
        "slug": "plugx"
      },
      {
        "id": "9e518ffc-0367-4828-aa11-41b852504b89",
        "name": "PlugX - S0013",
        "slug": "plugx-s0013"
      }
    ],
    "attack_patterns": [
      {
        "id": "c3af9fd7-d307-4df4-9220-cc627938fb85",
        "name": "T1055"
      },
      {
        "id": "d9b45b3b-d093-4016-89e9-48f31ff4d05d",
        "name": "T1566"
      },
      {
        "id": "e7d42089-23ed-495f-a2bc-c942c4e56fb7",
        "name": "T1573.002"
      },
      {
        "id": "6b2e0999-c7e8-4662-94ac-19aa8520ee46",
        "name": "T1059.003"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "e8422fc8-8365-4a6a-a556-d6ec16cb4e5d",
        "name": "T1574.002"
      },
      {
        "id": "de38dd3a-41d7-4621-8a00-a32d7f0ff420",
        "name": "T1102.002"
      },
      {
        "id": "5999052b-e9ae-49e8-9235-d9bf975c22af",
        "name": "T1547.001"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Iceland"
      },
      {
        "id": "",
        "name": "onedow.gesecole.net"
      },
      {
        "id": "",
        "name": "decoraat.net"
      },
      {
        "id": "",
        "name": "decoorat.net"
      }
    ]
  },
  "external_refs": [
    "https://otx.alienvault.com/pulse/69a3ce16b33dca316675f3f3",
    "https://lab52.io/blog/plugx-meeting-invitation-via-msbuild-and-gdata"
  ]
}