Fake Claude AI Installer Targets Windows Users with PlugX Malware

Fake Claude AI installer mimicking Anthropic spreads PlugX malware on Windows, using DLL sideloading to gain persistent remote access to infected systems...

Fake Claude site installs malware that gives attackers access to your computer

Claude’s rapid growth—nearly 290 million web visits per month—has made it an attractive target for attackers, and this campaign shows how easy it is to fall for a fake site. We discovered a fake website impersonating Anthropic’s Claude to serve a trojanized installer. The domain mimics Claude's...

China-Linked TA416 Targets European Governments with PlugX and OAuth-Based Phishing

A China-aligned threat actor has set its sights on European government and diplomatic organizations since mid-2025, following a two-year period of minimal targeting in the region. The campaign has been attributed to TA416 , a cluster of activity that overlaps with DarkPeony, RedDelta, Red Lich,...

China-Linked Hackers Hit Qatar with Backdoor Disguised as War News

China-linked hackers targeted Qatar using fake war news lures to spread PlugX backdoor malware and spy on military and energy sectors...

About Remote Code Execution – Windows LNK File (CVE-2025-9491) vulnerability

About Remote Code Execution - Windows LNK File CVE-2025-9491 vulnerability. A vulnerability in the Microsoft Windows shortcut .LNK handling mechanism allows malicious command-line arguments to be hidden in the Target field using whitespace characters, making them invisible to standard tools...

China-Linked Hackers Exploit Windows Shortcut Flaw to Target European Diplomats

A China-affiliated threat actor known as UNC6384 has been linked to a fresh set of attacks exploiting an unpatched Windows shortcut vulnerability to target European diplomatic and government entities between September and October 2025. The activity targeted diplomatic organizations in Hungary,...

PT-2025-39765

Name of the Vulnerable Software and Affected Versions WordPress Search Exclude plugin versions up to and including 2.5.7 Description The WordPress Search Exclude plugin contains a flaw that allows unauthorized modification of data. This is due to an inadequate capability check within the Base::ge...

China-Linked PlugX and Bookworm Malware Attacks Target Asian Telecom and ASEAN Networks

Telecommunications and manufacturing sectors in Central and South Asian countries have emerged as the target of an ongoing campaign distributing a new variant of a known malware called PlugXaka Korplug or SOGU. "The new variant's features overlap with both the RainyDay and Turian backdoors,...

How RainyDay, Turian and a new PlugX variant abuse DLL search order hijacking

Cisco Talos discovered a new campaign active since 2022, targeting the telecommunications and manufacturing sectors in Central and South Asian countries, delivering a new variant of PlugX. Talos discovered that the new variant's features overlap with both the RainyDay and Turian backdoors,...

UNC6384 Deploys PlugX via Captive Portal Hijacks and Valid Certificates Targeting Diplomats

A China-nexus threat actor known as UNC6384 has been attributed to a set of attacks targeting diplomats in Southeast Asia and other entities across the globe to advance Beijing's strategic interests. "This multi-stage attack chain leverages advanced social engineering including valid code signing...

A week in security (January 13 – January 19)

Last week on Malwarebytes Labs: iMessage text gets recipient to disable phishing protection so they can be phished The new rules for AI and encrypted messaging, with Mallory Knodel Lock and Code S06E01 Insurance company accused of using secret software to illegally collect and sell location data ...

FBI Deletes PlugX Malware from Thousands of Computers

According to a DOJ press release, the FBI was able to delete the Chinese-used PlugX malware from "approximately 4,258 U.S.-based computers and networks." Details: To retrieve information from and send commands to the hacked machines, the malware connects to a command-and-control server that is...

PlugX malware deleted from thousands of systems by FBI

The FBI says it has removed PlugX malware from thousands of infected computers worldwide. The move came after suspicion that cybercriminals groups under control of the People’s Republic of China PRC used a version of PlugX malware to control, and steal information from victims' computers. PlugX h...

FBI Deletes PlugX Malware from 4,250 Hacked Computers in Multi-Month Operation

The U.S. Department of Justice DoJ on Tuesday disclosed that a court-authorized operation allowed the Federal Bureau of Investigation FBI to delete PlugX malware from over 4,250 infected computers as part of a "multi-month law enforcement operation." PlugX, also known as Korplug, is a remote acce...

RedDelta Deploys PlugX Malware to Target Mongolia and Taiwan in Espionage Campaigns

Mongolia, Taiwan, Myanmar, Vietnam, and Cambodia have been targeted by the China-nexus RedDelta threat actor to deliver a customized version of the PlugX backdoor between July 2023 and December 2024. "The group used lure documents themed around the 2024 Taiwanese presidential candidate Terry Gou,...

Mustang Panda Deploys Advanced Malware to Spy on Asia-Pacific Governments

The threat actor tracked as Mustang Panda has refined its malware arsenal to include new tools in order to facilitate data exfiltration and the deployment of next-stage payloads, according to new findings from Trend Micro. The cybersecurity firm, which is monitoring the activity cluster under the...

DragonRank, a Chinese-speaking SEO manipulator service provider

Key Takeaways Cisco Talos is disclosing a new threat called "DragonRank" that primarily targets countries in Asia and a few in Europe, operating PlugX and BadIIS for search engine optimization SEO rank manipulation. DragonRank exploits targets' web application services to deploy a web shell and...

French Authorities Launch Operation to Remove PlugX Malware from Infected Systems

French judicial authorities, in collaboration with Europol, have launched a so-called "disinfection operation" to rid compromised hosts of a known malware called PlugX. The Paris Prosecutor's Office, Parquet de Paris, said the initiative was launched on July 18 and that it's expected to continue...

Backdoor.Win32.Plugx MVID-2024-0686 Insecure Permissions

Discovery / credits: Malvuln John Page aka hyp3rlinx c 2024 Original source: https://malvuln.com/advisory/eeb631127f1b9fb3d13d209d8e675634.txt Contact: [email protected] Media: x.com/malvuln Threat: Backdoor.Win32.Plugx Vulnerability: Insecure Permissions Family: Plugx Type: PE32 MD5:...

China-Linked Hackers Infiltrate East Asian Firm for 3 Years Using F5 Devices

A suspected China-nexus cyber espionage actor has been attributed as behind a prolonged attack against an unnamed organization located in East Asia for a period of about three years, with the adversary establishing persistence using legacy F5 BIG-IP appliances and using it as an internal...