Unmasking the Shadows: A Global Hunt for PlugX Staging Infrastructure

A new investigative report from threat researcher @goyaramen has shed light on a sophisticated C2 procurement strategy used by a trio of PRC-linked threat actors: Mustang Panda, UNC6384, and RedDelta.

By analyzing recent PlugX malware samples, the researcher identified 14 previously unreported domains that are part of an ongoing, coordinated campaign targeting government and diplomatic organizations worldwide.

The campaign stands out for its methodical approach to infrastructure pre-positioning. The threat actors follow a consistent lifecycle to mask their true command-and-control (C2) servers:

1. Step 1: Expired Domain Acquisition – The operators show a distinct preference for registering once-expired domains via well-known registrars like NameCheap and NameSilo. These domains are prized because they often carry “no negative risk score,” allowing them to bypass reputation-based filters.
2. Step 2: VPS Staging – These domains are initially pointed to Virtual Private Servers (VPS) hosted on ASN 149440 (Evoxt Enterprise).
3. Step 3: The Cloudflare Mask – Within a window of just one to three days, the actors provision Cloudflare TLS certificates and move to Cloudflare proxying to obscure the original hosting IP.

As the report concludes, this “deliberate, pre-staged deployment model” is specifically “constructed to mask the true hosting IP” from defenders.

The researcher’s investigation was sparked by a community-shared PlugX sample (Avk.dll) and an associated IP address: 108.165.255[.]97. By conducting a deep dive into the server’s characteristics, @goyaramen was able to establish a reliable “fingerprint” for the entire cluster.

To further evade suspicion, several domains in this campaign utilize generic “productivity” themes. One such domain, basecampbox[.]com, presents a convincing placeholder site for a team management application.

These templates appear to be a deliberate part of the “methodical approach to C2 procurement” designed to “outpace defender visibility”.

The high degree of behavioral overlap—shared registrars, similar staging providers, and identical server banners—suggests a deep level of coordination between Mustang Panda, UNC6384, and RedDelta. The researcher notes that these groups may be “using a server template for command-and-control operations”, pointing to a shared development or operational framework.

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy