PlugX Evolves: New “Meeting Invitation” Phishing Campaign Leverages Trusted Security Software
Ddos 
Cybersecurity researchers at LAB52 have released a detailed analysis of a new infection chain for the long-running PlugX Remote Access Trojan (RAT). This latest campaign, linked to China-aligned espionage actors, utilizes a “Meeting Invitation” spear-phishing lure to deceive high-value targets across government and technology sectors.
The attack begins with a deceptive email titled “Meeting Invitation” followed by a specific date. To establish credibility, the email contains a URL redirecting to the official website of the Ministry of Foreign Affairs of Iceland, alongside a link to download a malicious ZIP archive.
The archive contains a C# project file (Invitation_Letter_No.02_2026.csproj) and a legitimate MSBuild executable renamed to mimic the invitation. Upon execution, the malware displays a convincing decoy PDF—purportedly an invitation from the Republic of Kosovo’s Ministry of Foreign Affairs for a Webex meeting.
As the LAB52 report notes, “Incorporating the decoy directly into the overlay allows the malware to present a convincing lure to the victim while keeping the malicious logic tightly coupled within the same artifact”.
A hallmark of this campaign is the sophisticated abuse of legitimate, digitally signed software to bypass security controls. In this instance, the attackers leverage a trusted G DATA antivirus executable (Avk.exe) to load a malicious DLL (Avk.dll).
LAB52 highlights this strategy, stating: “The use of legitimate G DATA antivirus components — particularly a freely available executable — highlights the actors’ continued reliance on DLL side-loading to blend malicious execution with trusted software”.
Once loaded, the malware performs several steps to maintain its stealthy presence on the victim’s machine:
- Encrypted Payloads: The Avk.dll loader is responsible for retrieving and decrypting the primary payload stored in an external file named AVKTray.dat.
- API Hashing: To hinder static analysis, the malware uses DJB2-based API hashing, ensuring that all function calls are resolved indirectly.
- Persistence: The Trojan ensures it survives system reboots by creating a “G DATA” entry in the Windows Run registry key, pointing back to the malicious antivirus executable.
PlugX has remained a cornerstone of international cyber-espionage for over a decade, attributed to groups such as Mustang Panda, APT41, and APT10. This campaign follows a familiar pattern where threat actors “leverage social engineering techniques based on calendar events or invitations, using seemingly legitimate contexts to lower victims’ defenses”.
Organizations are advised to remain vigilant against unexpected meeting invitations containing attachments and to monitor for unusual DLL side-loading activity involving common security software.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
