VERY IMPORTANT

A campaign targeting telecommunications and manufacturing sectors in Central and South Asian countries has been discovered, delivering a new PlugX variant. The campaign, active since 2022, shows overlaps with RainyDay and Turian backdoors, including the abuse of legitimate applications for DLL sideloading and shared encryption methods. The new PlugX variant's configuration format resembles that of RainyDay, suggesting attribution to Naikon. Analysis of victimology and technical implementation indicates a potential connection between Naikon and BackdoorDiplomacy, possibly sourcing tools from the same vendor. The malware families use similar infection chains, loaders, and shellcode structures, with shared RC4 keys for payload decryption. This campaign highlights the evolving tactics of Chinese-speaking threat actors and the potential convergence of previously distinct groups.