Recent investigations into PlugX malware have uncovered a network of 14 domains linked to Chinese state-sponsored threat actors, particularly Mustang Panda, UNC6384, and RedDelta. These domains form part of a sophisticated espionage campaign targeting government and diplomatic entities. The command and control (C2) operator behind this campaign exhibits a methodical approach, typically registering expired domains and transitioning them to virtual private servers (VPS) with the ASN 149440, associated with Evoxt Enterprise, before obfuscating the infrastructure through Cloudflare.