A sophisticated Chinese-aligned threat campaign has been observed delivering the PlugX Remote Access Trojan (RAT) through a clever abuse of legitimate G DATA antivirus components, according to new research from LAB52.
The Attack Chain
The infection begins with a spear-phishing email titled “Meeting Invitation” containing two links — one redirecting to Iceland’s Ministry of Foreign Affairs website as a legitimacy decoy, and another delivering a malicious ZIP archive. The archive contains:
- Invitation_Letter_No.02_2026.exe — A renamed copy of MSBuild.exe used as a Living-off-the-Land Binary (LOLBIN)
- Invitation_Letter_No.02_2026.csproj — A malicious C# project file containing Base64-encoded URLs
When executed, the MSBuild binary processes the .csproj file, which downloads three additional components from the attacker-controlled domain onedow[.]gesecole[.]net:
- AVK.exe — A legitimate G DATA Antivirus executable
- Avk.dll — The malicious PlugX loader (detected as Korplug)
- AVKTray.dat — An encrypted payload file
DLL Side-Loading Abuse
The attack leverages DLL side-loading — a technique where legitimate, digitally signed applications are tricked into loading malicious DLLs. In this case, the genuine G DATA executable (AVK.exe) requires Avk.dll to function, allowing the malicious loader to execute with the trusted application’s reputation.
The loader employs multiple obfuscation techniques:
- XOR encoding with key 0x7F to hide the payload filename
- XOR decryption with key 0x4F to decode AVKTray.dat
- DJB2-based API hashing to obfuscate function calls
- RC4 encryption for configuration data
Persistence and Command-and-Control
The malware establishes persistence through the Windows Run registry key using the name “G DATA,” making the backdoor appear as legitimate security software. Files are deployed to C:\Users\Public\GDatas, and the malware communicates with its C2 server at decoraat[.]net over HTTPS port 443.
A decoy PDF is embedded within the payload’s overlay section and displayed to victims during infection, maintaining the illusion of a legitimate meeting invitation.
Historical Context
PlugX has been a staple of Chinese cyber-espionage operations since approximately 2008, linked to threat actors including Mustang Panda, APT41, APT10, and Deep Panda. These groups have targeted government institutions, diplomatic entities, defense organizations, and technology companies across Europe, Asia, and North America.
The use of meeting invitation themes for spear-phishing is a well-established tactic. Similar campaigns have been observed from:
- UNC6384 (overlapping with Mustang Panda) — exploited ZDI-CAN-25373 using European Commission meeting lures
- APT29 (Cozy Bear) — used fake diplomatic event invitations to deploy WINELOADER
- APT34 — leveraged spoofed LinkedIn invitations for backdoor deployment
Indicators of Compromise
Network Indicators:
https[:]//onedow[.]gesecole[.]net/downloadhttps[:]//decoraat[.]net:443
File Hashes (SHA256):
- AVKTray.dat:
e7ed0cd4115f3ff35c38d36cc50c6a13eba2d845554439a36108789cd1e05b17 - Avk.dll:
46314092c8d00ab93cbbdc824b9fc39dec9303169163b9625bae3b1717d70ebc - Invitation ZIP:
29cd44aa2a51a200d82cca578d97dc13241bc906ea6a33b132c6ca567dc8f3ad
Defensive Recommendations
- Monitor for MSBuild.exe executing .csproj files from user-writable directories
- Implement application whitelisting to prevent unauthorized DLL loading
- Block network connections to the identified C2 infrastructure
- Monitor for registry modifications to Run keys mimicking security software names
- Train users to scrutinize meeting invitation emails from unknown sources
Source: LAB52
