ngCERT SECURITY ADVISORY ON RESURGENCE OF SOGU AKA PLUGX MALWARE INFILTRATIONS

Advisory ID:   ngCERT-2025-100004

SUMMARY

ngCERT’s attention has been drawn to the resurgence of SOGU, aka PlugX malware infiltration, which poses a significant threat to Nigeria’s cyberspace. The malware is a sophisticated modular Remote Access Trojan (RAT) deployed by Advanced Persistent Threat (APT) actors in cyber-espionage campaigns. These attacks target critical infrastructure across multiple sectors, including telecommunication companies, as observed in current reports. SOGU is also identified as a backdoor with keylogging, surveillance, data exfiltration and stealth capabilities, while disguising itself as legitimate applications to avoid detection. New variants are equally capable of remote code execution, ensuring persistence through Dynamic Link Libraries (DLL) side-loading while implementing new C2 command identifiers. The compromise of critical infrastructure by this malware could result in privacy and data breaches, supply chain risks, financial losses, as well as reputational damage and possibly geopolitical implications. This underscores the need for public and private sector organisations to emplace robust defences to safeguard and mitigate the threats posed by PlugX.

Damage:      Critical

Probability:  High 

Platform(s):  Operating System, Networks and IoTs

DESCRIPTION

The recent PlugX attacks have targeted critical infrastructure, particularly telecommunications networks, by leveraging DLL side-loading for espionage purposes. In the initial access stage, attackers exploit legitimate executables, such as those from Quick Heal's Mobile Popup Application, to initiate DLL search order hijacking or side-loading of a malicious DLL. Notably, new variants also gain initial access by exploiting vulnerabilities in edge devices, such as firewalls and VPNs, and possibly weaknesses in IoTs. To deploy and execute the payload, the malicious DLL decrypts and loads PlugX (alongside variants like RainyDay or Turian) directly into memory using. This is achieved by utilizing Rivest Cypher 4 (a symmetric stream cypher) encryption and shared algorithms to evade disk-based detection. Likewise, the malware employs techniques like control flow flattening, API hashing, and embedded keyloggers to obscure its operations and resist reverse engineering. To ensure persistence and command execution, PlugX establishes long-term access, enabling arbitrary command execution, file uploads/downloads, and keylogging for credential theft and lateral movement within the network. Furthermore, compromised systems facilitate the theft of sensitive data, such as communications metadata, supporting broader cyber-espionage goals against critical sectors.

INDICATORS OF COMPROMISE

The following are observed Indicators of Compromise IoCs:

1. Domains

   a)   [.]relivonline[.]com

   b)   [.]im0[.]site

   c)   [.]frillsforspills[.]com

  d)   [.]365safemail[.]com

2. IPs with Ports

           a) 103[.]79[.]120[.]85:443

           b)  103[.]79[.]120[.]92:443

c)  103[.]79[.]120[.]71:443

d)  103[.]79[.]120[.]71:5000

e)  103[.]107[.]104[.]61:443

f)  103[.]107[.]104[.]61:5000

g)  39[.]105[.]24[.]38:3478

h)  39[.]105[.]24[.]38:443

i)    121[.]201[.]74[.]246:5000

j)   69[.]172[.]75[.]148:5000

k)  154[.]90[.]47[.]123:443

l)   154[.]90[.]47[.]123:5000

m) 45[.]128[.]153[.]73:443

CONSEQUENCES

SOGU aka PlugX malware attacks could result in:

1. Extensive data exfiltration and espionage.
2. Compromise of networks in critical sectors like telecom that can act as vectors for supply chain attacks.
3. Economic and financial losses.
4. Breaches that could further result in reputational damage, customer trust erosion, regulatory fines, and legal scrutiny.
5. Operational disruptions and Denial of Service (DoS) attacks.

SOLUTION/MITIGATION

ngCERT recommends that organisations:

1. Conduct regular security awareness training to help users recognize phishing attempts.
2. Implement advanced email filtering solutions to block malicious emails before reaching end-users.
3. Deploy and maintain up-to-date antivirus solutions capable of detecting PlugX signatures and behaviors.
4. Enforce 2FA to protect access to sensitive systems and applications.
5. Conduct regular analysis of system and network logs to identify anomalies related to PlugX behavior.
6. Ensure the prompt application of patches and updates to all software to minimize exploitation
7. opportunities.
8. Filter network traffic by preventing unknown or untrusted access to remote services on internal systems.
9. Ensure the review of domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts.

HYPERLINK

• https://cybersecsentinel.com/the-return-of-plugx-malware-with-fresh-tricks/
• https://thehackernews.com/2025/09/china-linked-plugx-and-bookworm-malware.html
• https://security.googlecloudcommunity.com/community-blog-42/finding-malware-detecting-sogu-with-google-security-operations-3869
• https://malpedia.caad.fkie.fraunhofer.de/details/win.plugx