← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Before the Proxy: Uncovering Active PlugX Staging Infrastructure Linked to Three PRC Actors
WHITE Mustang Panda PetrP.73 2026-03-11 Modified: 2026-04-10
16
IOCs
MEDIUM VOLUME
Recent investigations into PlugX malware have uncovered a network of 14 domains linked to Chinese state-sponsored threat actors, particularly Mustang Panda, UNC6384, and RedDelta. These domains form part of a sophisticated espionage campaign targeting government and diplomatic entities. The command and control (C2) operator behind this campaign exhibits a methodical approach, typically registering expired domains and transitioning them to virtual private servers (VPS) with the ASN 149440, associated with Evoxt Enterprise, before obfuscating the infrastructure through Cloudflare.
cloudflarefebruaryunc6384mustang pandareddeltanamecheapplugxgtigstaticpluginlab52futurehuntaugustenterprisepandaglobalfacebook
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
Indicators of Compromise (16)
All URL domain
TYPEINDICATORDESCRIPTIONCREATED
URL http://108.165.255.97:443 2026-03-11
domain adimagemarketing.com 2026-03-11
domain anbusivam.com 2026-03-11
domain basecampbox.com 2026-03-11
domain buywownow.com 2026-03-11
domain creatday.com 2026-03-11
domain decoraat.net 2026-03-11
domain doorforum.com 2026-03-11
domain ecoafrique.net 2026-03-11
domain famisu.com 2026-03-11
domain fruitbrat.com 2026-03-11
domain gestationsdiabetes.com 2026-03-11
domain hopelitellc.com 2026-03-11
domain ombut.com 2026-03-11
domain phbusiness.net 2026-03-11
domain turileco.net 2026-03-11
References (1)
↗ https://cyberandramen.net/2026/03/02/before-the-proxy-uncovering-active-plugx-staging-infrastructure-linked-to-three-prc-actors/