"Researchers Sinkhole PlugX Malware Server With 2.5 Million Unique IPs"

Security researchers at Sekoia have sinkholed a command and control server for a variant of the PlugX malware and observed in six months more than 2.5 million connections from unique IP addresses. Since last September, the sinkhole server received over 90,000 requests every day from infected hosts in more than 170 countries. Since September 2023, when the security researchers captured the unique IP address associated with the particular C2, it has logged over 2,495,297 unique IPs from 170 countries interacting with the sinkhole. This action enabled the researchers to analyze traffic, map infections, prevent malicious exploitation of clients, and devise effective disinfection plans. The researchers noted that while the worm spread to 170 countries, just 15 of them account for over 80% of the total infections, with Nigeria, India, China, Iran, Indonesia, the UK, Iraq, and the United States being at the top of the list. PlugX has been used since at least 2008, mainly in espionage and remote access operations from groups linked to the Chinese Ministry of State Security. It has been used by multiple attack groups often for targeting government, defense, technology, and political organizations, primarily in Asia and later expanding in the West.

 

BleepingComputer reports: "Researchers Sinkhole PlugX Malware Server With 2.5 Million Unique IPs"

Submitted by Adam Ekwall on