Cisco Talos Blog: How RainyDay, Turian and a new PlugX variant abuse DLL search order hijacking

Sep 23, 2025

—

Source URL: https://blog.talosintelligence.com/how-rainyday-turian-and-a-new-plugx-variant-abuse-dll-search-order-hijacking/
Source: Cisco Talos Blog
Title: How RainyDay, Turian and a new PlugX variant abuse DLL search order hijacking

Feedly Summary: Talos discovered that a new PlugX variant’s features overlap with both the RainyDay and Turian backdoors

AI Summary and Description: Yes

Summary: Cisco Talos has identified a new variant of the PlugX malware associated with a campaign targeting telecommunications and manufacturing sectors in Central and South Asia, attributed to the Naikon threat group. This variant exhibits similarities to previous malware families, indicating shared toolsets or connections between threat actors.

Detailed Description:
Cisco Talos’s recent findings highlight a sophisticated malware campaign involving a new variant of PlugX, which has been active since 2022, targeting telecommunications and manufacturing sectors in Central and South Asia. Here are the major points to consider:

– **Attribution**:
– The campaign is linked to Naikon, a Chinese-speaking cyber espionage group operating since 2010, known to target telecoms and government sectors in Southeast Asia.
– Evidence suggests a connection between Naikon and another group, BackdoorDiplomacy, due to overlapping targeting patterns and the use of similar malware techniques.

– **Malware Characteristics**:
– The new PlugX variant shows shared attributes with the RainyDay and Turian malware, particularly in their DLL sideloading techniques and encryption/decryption methods.
– They utilize the same XOR-RC4-RtlDecompressBuffer algorithm and identical RC4 keys across different malware families, suggesting a common toolset or vendor sourcing.

– **Technical Implementation**:
– The loaders (the malware components that facilitate execution) for RainyDay, PlugX, and Turian leverage some common code, indicating potential collaboration or a shared framework between these threat actors.
– The malware is executed via DLL search order hijacking, reading encrypted shellcode files to deploy malicious payloads into memory after decryption.

– **Findings from Ongoing Investigations**:
– Talos also noted that the PlugX variant has a configuration format that diverges from standard PlugX, resembling RainyDay’s structure, which raises concerns about the existence of a modified or shared source code.
– The ongoing analysis revealed that both malware families have been actively targeting similar industries and geographical areas, enhancing suspicion of a coordinated effort between Naikon and BackdoorDiplomacy.

– **Implications for Security Practitioners**:
– The report emphasizes the importance of multi-layered security measures like Cisco Secure Endpoint and Secure Email to prevent such malware from executing in corporate environments. Enhanced vigilance in monitoring network traffic and behavioral anomalies associated with these malware families is essential.
– Understanding the shared characteristics and attack vectors used by cyber threat actors can improve threat detection and incident response strategies for organizations commonly targeted in these regions.

This information is not only crucial for cybersecurity practitioners but also emphasizes the need for continuous monitoring and analysis of malware patterns to enhance defenses against sophisticated threats in a rapidly evolving threat landscape.

01 1 10 2 4 a abuse Act ads after age AI algorithm analysis and anomalies API app Arch Aria art as Asia at ated attack attack vector attack vectors attribute attribution backdoor backdoors Behavior behavioral anomalies Bi bot by C CERN Chinese CI CIA Cisco Cisco Talos co code Col collaboration communication concerns Configuration continuous continuous monitoring cross cyber cyber threat cyber threat actor cyber threat actors cybersecurit Cybersecurity cybersecurity practitioners D day de decryption decryption method decryption methods defense defenses detection Diplomacy e email encryption end endpoint Entra environment environments espionage espionage group event execution fact feature features file for framework g Gen geo Go government graph Group gs H high Highlight hijacking HR http HTTPS implementation implications implications for security in incident incident response incident response strategies information Intel intelligence investigation investigations io Iron J jack k Key keys l Labor Lance land layered security layered security measures led Li Link linked load Loader M mac malicious payload malware malware campaign man manufacturing manufacturing sector measures memory Mila ModI Monitor monitoring monitoring network traffic multi N Naikon threat group network network traffic new NGO no o of on one ongoing investigations only ons organization organizations ory oS OSINT oss other out over patterns pay per phi PlugX malware point potential pre pro ps Q R rag RainyDay Raise rate RCE re reading red Region Regions report response response strategies Ro s sam search sec sector secure security security measure security measures Security Practitioners SHA shellcode side Sim size sizes SoC source source code sourcing Southeast Asia speaking SSE SSO STIG strategies T Talos target targeted tech technical technical implementation techniques ted telecom telecommunications telecoms the threat threat actor threat actors threat detection threat group threat landscape threats to tool tools Toolset Tor TP traffic trie Turian two under up US use uth V vector vectors vendor vigilance Ware Wi x z