www.proofpoint.com Open in urlscan Pro
2a02:e980:107::cf  Public Scan

URL: https://www.proofpoint.com/us/blog/threat-insight/ta416-goes-ground-and-returns-golang-plugx-malware-loader
Submission: On September 29 via api from DE — Scanned from DE

Form analysis 3 forms found in the DOM

/us

<form action="/us" data-region="us" data-language="en">
  <input type="text" name="search_block_form" placeholder="Search">
  <input type="submit">
</form>

<form id="mktoForm_10895" data-mkto-id="10895" data-mkto-base="//app-abj.marketo.com" data-munchkin-id="309-RHV-619" data-submit-text="" data-redirect-link="" data-prefill="" data-event-label=""
  class="mk-form__form marketo-form-block__form mktoForm mktoHasWidth mktoLayoutLeft js-visible mkto-form-processed" novalidate="novalidate" style="font-family: inherit; font-size: 16px; color: rgb(51, 51, 51); width: 1601px;">
  <style type="text/css"></style>
  <div class="mktoFormRow">
    <div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
      <div class="mktoOffset" style="width: 5px;"></div>
      <div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 150px;">
          <div class="mktoAsterix">*</div>Business Email:
        </label>
        <div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><input id="Email" name="Email" placeholder="Business Email *" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email"
          class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true" style="width: 200px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
        <div class="mktoClear"></div>
      </div>
      <div class="mktoClear"></div>
    </div>
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow">
    <div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
      <div class="mktoFieldWrap mk-form__checkbox-field">
        <div class="blog-subscribe__select-box">Select</div><label for="blogInterest" id="LblblogInterest" class="mktoLabel mktoHasWidth mk-form__checkbox-label" style="width: 150px;">
          <div class="mktoAsterix">*</div>Blog Interest:
        </label>
        <div class="mktoGutter mktoHasWidth" style="width: 5px;"></div>
        <div class="mktoLogicalField mktoCheckboxList mktoHasWidth" style="width: 200px;"><input name="blogInterest" id="mktoCheckbox_182285_0" type="checkbox" value="All"
            aria-labelledby="LblblogInterest LblmktoCheckbox_182285_0 InstructblogInterest" class="mktoField"
            placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
            for="mktoCheckbox_182285_0" id="LblmktoCheckbox_182285_0">All</label><input name="blogInterest" id="mktoCheckbox_182285_1" type="checkbox" value="Archiving and Compliance"
            aria-labelledby="LblblogInterest LblmktoCheckbox_182285_1 InstructblogInterest" class="mktoField"
            placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
            for="mktoCheckbox_182285_1" id="LblmktoCheckbox_182285_1">Archiving and Compliance</label><input name="blogInterest" id="mktoCheckbox_182285_2" type="checkbox" value="CISO Perspectives"
            aria-labelledby="LblblogInterest LblmktoCheckbox_182285_2 InstructblogInterest" class="mktoField"
            placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
            for="mktoCheckbox_182285_2" id="LblmktoCheckbox_182285_2">CISO Perspectives</label><input name="blogInterest" id="mktoCheckbox_182285_3" type="checkbox" value="Cloud Security"
            aria-labelledby="LblblogInterest LblmktoCheckbox_182285_3 InstructblogInterest" class="mktoField"
            placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
            for="mktoCheckbox_182285_3" id="LblmktoCheckbox_182285_3">Cloud Security</label><input name="blogInterest" id="mktoCheckbox_182285_4" type="checkbox" value="Corporate News"
            aria-labelledby="LblblogInterest LblmktoCheckbox_182285_4 InstructblogInterest" class="mktoField"
            placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
            for="mktoCheckbox_182285_4" id="LblmktoCheckbox_182285_4">Corporate News</label><input name="blogInterest" id="mktoCheckbox_182285_5" type="checkbox" value="Email and Cloud Threats"
            aria-labelledby="LblblogInterest LblmktoCheckbox_182285_5 InstructblogInterest" class="mktoField"
            placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
            for="mktoCheckbox_182285_5" id="LblmktoCheckbox_182285_5">Email and Cloud Threats</label><input name="blogInterest" id="mktoCheckbox_182285_6" type="checkbox" value="Information Protection"
            aria-labelledby="LblblogInterest LblmktoCheckbox_182285_6 InstructblogInterest" class="mktoField"
            placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
            for="mktoCheckbox_182285_6" id="LblmktoCheckbox_182285_6">Information Protection</label><input name="blogInterest" id="mktoCheckbox_182285_7" type="checkbox" value="Insider Threat Management"
            aria-labelledby="LblblogInterest LblmktoCheckbox_182285_7 InstructblogInterest" class="mktoField"
            placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
            for="mktoCheckbox_182285_7" id="LblmktoCheckbox_182285_7">Insider Threat Management</label><input name="blogInterest" id="mktoCheckbox_182285_8" type="checkbox" value="Remote Workforce Protection"
            aria-labelledby="LblblogInterest LblmktoCheckbox_182285_8 InstructblogInterest" class="mktoField"
            placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
            for="mktoCheckbox_182285_8" id="LblmktoCheckbox_182285_8">Remote Workforce Protection</label><input name="blogInterest" id="mktoCheckbox_182285_9" type="checkbox" value="Security Awareness Training"
            aria-labelledby="LblblogInterest LblmktoCheckbox_182285_9 InstructblogInterest" class="mktoField"
            placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
            for="mktoCheckbox_182285_9" id="LblmktoCheckbox_182285_9">Security Awareness Training</label><input name="blogInterest" id="mktoCheckbox_182285_10" type="checkbox" value="Security Briefs"
            aria-labelledby="LblblogInterest LblmktoCheckbox_182285_10 InstructblogInterest" class="mktoField"
            placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
            for="mktoCheckbox_182285_10" id="LblmktoCheckbox_182285_10">Security Briefs</label><input name="blogInterest" id="mktoCheckbox_182285_11" type="checkbox" value="Threat Insight"
            aria-labelledby="LblblogInterest LblmktoCheckbox_182285_11 InstructblogInterest" class="mktoField"
            placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
            for="mktoCheckbox_182285_11" id="LblmktoCheckbox_182285_11">Threat Insight</label></div><span id="InstructblogInterest" tabindex="-1" class="mktoInstruction"></span>
        <div class="mktoClear"></div>
      </div>
      <div class="mktoClear"></div>
    </div>
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="Employees_Picklist__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="State" class="mktoField mktoFieldDescriptor mktoFormCol" value="State/Province" placeholder="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="Most_Recent_Medium__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="Website" placeholder="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="Most_Recent_Medium_Detail__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="www-pfpt" placeholder="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="Industry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="Website" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="AnnualRevenue" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="demandbasesid" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="demandBase_Data_Source" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="Primary_Product_Interest__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="UTM_Post_ID__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="utmcampaign" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="utmterm" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="db_employee_count" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="Unsubscribed" class="mktoField mktoFieldDescriptor mktoFormCol" value="0" placeholder="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoButtonRow"><span class="mktoButtonWrap mktoNative" style="margin-left: 110px;"><button type="submit" class="mktoButton">Submit</button></span></div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor"
    value="10895" placeholder=""><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="309-RHV-619" placeholder=""><input type="hidden" name="Website_Conversion_URL__c" class="mktoField mktoFieldDescriptor"
    value="https://www.proofpoint.com/us/blog/threat-insight/ta416-goes-ground-and-returns-golang-plugx-malware-loader"><input type="hidden" name="gAClientID" class="mktoField mktoFieldDescriptor" value="545235094.1664483307">
</form>

<form data-mkto-id="10895" data-mkto-base="//app-abj.marketo.com" data-munchkin-id="309-RHV-619" data-submit-text="" data-redirect-link="" data-prefill="" data-event-label=""
  class="mk-form__form marketo-form-block__form mktoForm mktoHasWidth mktoLayoutLeft" novalidate="novalidate"
  style="font-family: inherit; font-size: 16px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;"></form>

Text Content

Skip to main content
Products Solutions Partners Resources Company ContactLanguages
Support Log-in Digital Risk Portal Email Fraud Defense ET Intelligence
Proofpoint Essentials Sendmail Support Log-in
Main Menu

EMAIL SECURITY AND PROTECTION

Defend against threats, ensure business continuity, and implement email
policies.

ADVANCED THREAT PROTECTION

Protect against email, mobile, social and desktop threats.

SECURITY AWARENESS TRAINING

Engage your users and turn them into a strong line of defense against phishing
and other cyber attacks.

CLOUD SECURITY

Defend against threats, protect your data, and secure access.

COMPLIANCE AND ARCHIVING

Reduce risk, control costs and improve data visibility to ensure compliance.

INFORMATION PROTECTION

Protect from data loss by negligent, compromised, and malicious users.

DIGITAL RISK PROTECTION

Protect against digital security risks across web domains, social media and the
deep and dark web.

PREMIUM SECURITY SERVICES

Get deeper insight with on-call, personalized assistance from our expert team.


RANSOMWARE HUB

Stop ransomware in its tracks with the free research and resources in our
Ransomware Hub.

Learn More


SOLUTIONS BY TOPIC

COMBAT EMAIL AND CLOUD THREATS

Protect your people from email and cloud threats with an intelligent and
holistic approach.

CHANGE USER BEHAVIOR

Help your employees identify, resist and report attacks before the damage is
done.

COMBAT DATA LOSS AND INSIDER RISK

Prevent data loss via negligent, compromised and malicious insiders by
correlating content, behavior and threats.

MODERNIZE COMPLIANCE AND ARCHIVING

Manage risk and data retention needs with a modern compliance and archiving
solution.

PROTECT CLOUD APPS

Keep your people and their cloud apps secure by eliminating threats, avoiding
data loss and mitigating compliance risk.

PREVENT LOSS FROM RANSOMWARE

Learn about this growing threat and stop attacks by securing today’s top
ransomware vector: email.

SECURE MICROSOFT 365

Implement the very best security and compliance solution for your Microsoft 365
collaboration suite.

DEFEND YOUR REMOTE WORKFORCE WITH CLOUD EDGE

Secure access to corporate resources and ensure business continuity for your
remote workers.

WHY PROOFPOINT

Today’s cyber attacks target people. Learn about our unique people-centric
approach to protection.


SOLUTIONS BY INDUSTRY

Federal Government State and Local Government Higher Education Financial
Services Healthcare Mobile Operators Internet Service Providers Small and Medium
Businesses


PARTNER PROGRAMS

CHANNEL PARTNERS

Become a channel partner. Deliver Proofpoint solutions to your customers and
grow your business.

ARCHIVE EXTRACTION PARTNERS

Learn about the benefits of becoming a Proofpoint Extraction Partner.

GLOBAL SYSTEM INTEGRATOR (GSI) AND MANAGED SERVICE PROVIDER (MSP) PARTNERS

Learn about our global consulting and services partners that deliver fully
managed and integrated solutions.

TECHNOLOGY AND ALLIANCE PARTNERS

Learn about our relationships with industry-leading firms to help protect your
people, data and brand.

SOCIAL MEDIA PROTECTION PARTNERS

Learn about the technology and alliance partners in our Social Media Protection
Partner program.

PROOFPOINT ESSENTIALS PARTNER PROGRAMS

Small Business Solutions for channel partners and MSPs.


PARTNER TOOLS

Become a Channel Partner Channel Partner Portal

RESOURCE LIBRARY

Find the information you're looking for in our library of videos, data sheets,
white papers and more.

BLOG

Keep up with the latest news and happenings in the ever‑evolving cybersecurity
landscape.

PODCASTS

Learn about the human side of cybersecurity. Episodes feature insights from
experts and executives.

THREAT GLOSSARY

Learn about the latest security threats and how to protect your people, data,
and brand.

EVENTS

Connect with us at events to learn how to protect your people and data from
ever‑evolving threats.

CUSTOMER STORIES

Read how Proofpoint customers around the globe solve their most pressing
cybersecurity challenges.

WEBINARS

Browse our webinar library to learn about the latest threats, trends and issues
in cybersecurity.

Watch now to earn your CPE credits


SECURITY HUBS

Get free research and resources to help you protect against threats, build a
security culture, and stop ransomware in its tracks.

Threat Hub
CISO Hub
Cybersecurity Awareness Hub
Ransomware Hub
Insider Threat Management Hub

ABOUT PROOFPOINT

Proofpoint is a leading cybersecurity company that protects organizations'
greatest assets and biggest risks: their people.

WHY PROOFPOINT

Today’s cyber attacks target people. Learn about our unique people-centric
approach to protection.

CAREERS

Stand out and make a difference at one of the world's leading cybersecurity
companies.

NEWS CENTER

Read the latest press releases, news stories and media highlights about
Proofpoint.

PRIVACY AND TRUST

Learn about how we handle data and make commitments to privacy and other
regulations.

ENVIRONMENTAL, SOCIAL, AND GOVERNANCE

Learn about our people-centric principles and how we implement them to
positively impact our global community.


SUPPORT

Access the full range of Proofpoint support services.

Learn More
English (US) English (UK) English (AU) Español Deutsch Français Italiano
Português 日本語 한국어
Products
Overview Email Protection Email Fraud Defense Secure Email Relay Threat Response
Auto-Pull Sendmail Open Source Essentials for Small Business
Overview Targeted Attack Protection in Email Email Isolation Threat Response
Emerging Threats Intelligence
Overview Assess Change Behavior Evaluate
Overview Browser Isolation Cloud Account Defense Cloud App Security Broker Web
Security
Overview Automate Capture Patrol Track Archive Discover Supervision
Overview Enterprise Data Loss Prevention (DLP) Insider Threat Management
Intelligent Classification and Protection Endpoint Data Loss Prevention (DLP)
Email Data Loss Prevention (DLP) Email Encryption Data Discover
Overview Social Media Protection Domain Fraud Monitoring Executive and Location
Threat Monitoring
Overview Technical Account Managers Proofpoint Threat Information Services
Managed Services for Security Awareness Training People-Centric Security Program
Managed Email Security Managed Services for Information Protection Insider
Threat Management Services Compliance and Archiving Services Consultative
Services
Products Solutions Partners Resources Company
English (US) English (UK) English (AU) Español Deutsch Français Italiano
Português 日本語 한국어
Login
Support Log-in Digital Risk Portal Email Fraud Defense ET Intelligence
Proofpoint Essentials Sendmail Support Log-in
Contact


EMAIL SECURITY AND PROTECTION

Defend against threats, ensure business continuity, and implement email
policies.

ADVANCED THREAT PROTECTION

Protect against email, mobile, social and desktop threats.

SECURITY AWARENESS TRAINING

Engage your users and turn them into a strong line of defense against phishing
and other cyber attacks.

CLOUD SECURITY

Defend against threats, protect your data, and secure access.

COMPLIANCE AND ARCHIVING

Reduce risk, control costs and improve data visibility to ensure compliance.

INFORMATION PROTECTION

Protect from data loss by negligent, compromised, and malicious users.

DIGITAL RISK PROTECTION

Protect against digital security risks across web domains, social media and the
deep and dark web.

PREMIUM SECURITY SERVICES

Get deeper insight with on-call, personalized assistance from our expert team.

Overview Email Protection Email Fraud Defense Secure Email Relay Threat Response
Auto-Pull Sendmail Open Source Essentials for Small Business
Overview Targeted Attack Protection in Email Email Isolation Threat Response
Emerging Threats Intelligence
Overview Assess Change Behavior Evaluate
Overview Browser Isolation Cloud Account Defense Cloud App Security Broker Web
Security
Overview Automate Capture Patrol Track Archive Discover Supervision
Overview Enterprise Data Loss Prevention (DLP) Insider Threat Management
Intelligent Classification and Protection Endpoint Data Loss Prevention (DLP)
Email Data Loss Prevention (DLP) Email Encryption Data Discover
Overview Social Media Protection Domain Fraud Monitoring Executive and Location
Threat Monitoring
Overview Technical Account Managers Proofpoint Threat Information Services
Managed Services for Security Awareness Training People-Centric Security Program
Managed Email Security Managed Services for Information Protection Insider
Threat Management Services Compliance and Archiving Services Consultative
Services


RANSOMWARE HUB

Stop ransomware in its tracks with the free research and resources in our
Ransomware Hub.

Learn More


SOLUTIONS BY TOPIC

COMBAT EMAIL AND CLOUD THREATS

Protect your people from email and cloud threats with an intelligent and
holistic approach.

CHANGE USER BEHAVIOR

Help your employees identify, resist and report attacks before the damage is
done.

COMBAT DATA LOSS AND INSIDER RISK

Prevent data loss via negligent, compromised and malicious insiders by
correlating content, behavior and threats.

MODERNIZE COMPLIANCE AND ARCHIVING

Manage risk and data retention needs with a modern compliance and archiving
solution.

PROTECT CLOUD APPS

Keep your people and their cloud apps secure by eliminating threats, avoiding
data loss and mitigating compliance risk.

PREVENT LOSS FROM RANSOMWARE

Learn about this growing threat and stop attacks by securing today’s top
ransomware vector: email.

SECURE MICROSOFT 365

Implement the very best security and compliance solution for your Microsoft 365
collaboration suite.

DEFEND YOUR REMOTE WORKFORCE WITH CLOUD EDGE

Secure access to corporate resources and ensure business continuity for your
remote workers.

WHY PROOFPOINT

Today’s cyber attacks target people. Learn about our unique people-centric
approach to protection.


SOLUTIONS BY INDUSTRY

Federal Government State and Local Government Higher Education Financial
Services Healthcare Mobile Operators Internet Service Providers Small and Medium
Businesses


PARTNER PROGRAMS

CHANNEL PARTNERS

Become a channel partner. Deliver Proofpoint solutions to your customers and
grow your business.

ARCHIVE EXTRACTION PARTNERS

Learn about the benefits of becoming a Proofpoint Extraction Partner.

GLOBAL SYSTEM INTEGRATOR (GSI) AND MANAGED SERVICE PROVIDER (MSP) PARTNERS

Learn about our global consulting and services partners that deliver fully
managed and integrated solutions.

TECHNOLOGY AND ALLIANCE PARTNERS

Learn about our relationships with industry-leading firms to help protect your
people, data and brand.

SOCIAL MEDIA PROTECTION PARTNERS

Learn about the technology and alliance partners in our Social Media Protection
Partner program.

PROOFPOINT ESSENTIALS PARTNER PROGRAMS

Small Business Solutions for channel partners and MSPs.


PARTNER TOOLS

Become a Channel Partner Channel Partner Portal

RESOURCE LIBRARY

Find the information you're looking for in our library of videos, data sheets,
white papers and more.

BLOG

Keep up with the latest news and happenings in the ever‑evolving cybersecurity
landscape.

PODCASTS

Learn about the human side of cybersecurity. Episodes feature insights from
experts and executives.

THREAT GLOSSARY

Learn about the latest security threats and how to protect your people, data,
and brand.

EVENTS

Connect with us at events to learn how to protect your people and data from
ever‑evolving threats.

CUSTOMER STORIES

Read how Proofpoint customers around the globe solve their most pressing
cybersecurity challenges.

WEBINARS

Browse our webinar library to learn about the latest threats, trends and issues
in cybersecurity.

Watch now to earn your CPE credits


SECURITY HUBS

Get free research and resources to help you protect against threats, build a
security culture, and stop ransomware in its tracks.

Threat Hub
CISO Hub
Cybersecurity Awareness Hub
Ransomware Hub
Insider Threat Management Hub

ABOUT PROOFPOINT

Proofpoint is a leading cybersecurity company that protects organizations'
greatest assets and biggest risks: their people.

WHY PROOFPOINT

Today’s cyber attacks target people. Learn about our unique people-centric
approach to protection.

CAREERS

Stand out and make a difference at one of the world's leading cybersecurity
companies.

NEWS CENTER

Read the latest press releases, news stories and media highlights about
Proofpoint.

PRIVACY AND TRUST

Learn about how we handle data and make commitments to privacy and other
regulations.

ENVIRONMENTAL, SOCIAL, AND GOVERNANCE

Learn about our people-centric principles and how we implement them to
positively impact our global community.


SUPPORT

Access the full range of Proofpoint support services.

Learn More
Zeigen Sie weiterhin Inhalte für Ihren Standort an
United StatesUnited KingdomFranceDeutschlandEspaña日本AustraliaItaliaFortsetzen
Blog
Threat Insight
TA416 Goes to Ground and Returns with a Golang PlugX Malware Loader


TA416 GOES TO GROUND AND RETURNS WITH A GOLANG PLUGX MALWARE LOADER

Share with your network!
Facebook Twitter LinkedIn Email App

November 23, 2020 The Proofpoint Threat Research Team


EXECUTIVE SUMMARY 

Following the Chinese National Day holiday in September, Proofpoint researchers
observed a resumption of activity by the APT actor TA416. Historic campaigns by
this actor have also been publicly attributed to “Mustang Panda” and “RedDelta”.
This new activity appears to be a continuation of previously reported campaigns
that have targeted entities associated with diplomatic relations between
the Vatican and the Chinese Communist Party, as well as entities in Myanmar. The
targeting of organizations conducting diplomacy in Africa has also been
observed. Proofpoint researchers have identified updates to the actor’s
toolset which is used to deliver PlugX malware payloads. Specifically,
researchers identified a new Golang variant of TA416’s PlugX malware loader and
identified consistent usage of PlugX malware in targeted campaigns. As this
group continues to be publicly reported on by security researchers, they
exemplify a persistence in the modification of their toolset to frustrate
analysis and evade detection. While baseline changes to their payloads do not
greatly increase the difficulty of attributing TA416 campaigns, they do make
automated detection and execution of malware components independent from the
infection chain more challenging for researchers. This may represent efforts by
the group to continue their pursuit of espionage objectives while maintaining an
embattled toolset and staying out of the daily Twitter conversation popular
amongst threat researchers. 


RENEWED PHISHING ACTIVITY 

After nearly a month of inactivity following publications by threat researchers,
Proofpoint analysts have identified limited signs of renewed phishing activity
that can be attributed to the Chinese APT group TA416 (also referred to as
Mustang Panda and RedDelta) 1. Recorded Future researchers have previously noted
historic periods of dormancy following disclosure of TA416’s targeted
campaigns.2 This most recent period of inactivity encompassed September 16, 2020
through October 10, 2020. Notably this time period included the Chinese National
holiday referred to as National Day and the following unofficial vacation
period “Golden Week”. The resumption of phishing activity by TA416 included a
continued use of social engineering lures referencing the provisional agreement
recently renewed between the Vatican Holy See and the Chinese Communist Party
“CCP”.3 Additionally, spoofed email header from fields were observed that appear
to imitate journalists from the Union of Catholic Asia News. This confluence of
themed social engineering content suggests a continued focus on matters
pertaining to the evolving relationship between the Catholic Church and the
“CCP”. 


PLUGX MALWARE ANALYSIS 

Proofpoint researchers identified two RAR archives which serve as PlugX malware
droppers. One of these files was found to be a self-extracting RAR archive. For
the purposes of this analysis the self-extracting archive file
AdobelmdyU.exe|930b7a798e3279b7460e30ce2f3a2deccbc252f3ca213cb022f5b7e6a25a0867
was examined. The initial delivery vector for these RAR archives could not be
identified. However, historically TA416 has been observed including Google Drive
and Dropbox URLs within phishing emails that deliver archives
containing PlugX malware and related components. Once the RAR archive is
extracted four files are installed on the host and the portable
executable Adobelm.exe is executed. The installed files include: 

 * Adobelm.exe|0459e62c5444896d5be404c559c834ba455fa5cae1689c70fc8c61bc15468681 

A legitimate Adobe executable used in the DLL Side-Loading of Hex.dll. 

 * Adobehelp.exe|e3e3c28f7a96906e6c30f56e8e6b013e42b5113967d6fb054c32885501dfd1b7 

An unused binary that has been previously observed in malicious RAR archives
linked to TA416. 

 * hex.dll|235752f22f1a21e18e0833fc26e1cdb4834a56ee53ec7acb8a402129329c0cdd 

A Golang binary which decrypts and loads adobeupdate.dat (the PlugX payload). 

 * adobeupdate.dat|afa06df5a2c33dc0bdf80bbe09dade421b3e8b5990a56246e0d7053d5668d91 

 The encrypted PlugX malware payload. 

 

Figure 1: PlugX Malware Execution Diagram 

Following RAR extraction, Adobelm.exe, a legitimate PE that is used for the DLL
side-loading of hex.dll, is executed. It calls a PE export function of hex.dll
named CEFProcessForkHandlerEx. Historically, TA416 campaigns have used the file
name hex.dll and the same PE export name to achieve DLL side-loading for a
Microsoft Windows PE DLL. These files served as loaders and decryptors of
encrypted PlugX malware payloads. The file would read, load, decrypt, and
execute the PlugX malware payload (regularly named adobeupdate.dat, as it is in
this case).  

The PlugX malware loader found in this case was identified as a Golang binary.
Proofpoint has not previously observed this file type in use by TA416. Both
identified RAR archives were found to drop the same
encrypted PlugX malware file and Golang loader samples. The Golang loader has a
compilation creation time that dates it to June 24, 2020. However, the command
and control infrastructure discussed later in this posting suggests that
the PlugX malware payload and Golang loader variant were used after August 24,
2020. Despite the file type of the PlugX loader changing, the functionality
remains largely the same. It reads the file adobeupdate.dat, retrieves the XOR
key beginning at offset x00 and continues until it reads a null byte. It then
decrypts the payload, and finally executes the decrypted adobeupdate.dat. This
results in the execution of the PlugX malware payload which ultimately calls out
to the command and control IP 45.248.87[.]162. The following registry key is
also created during this process which runs at startup establishing the
malware’s persistence. Notably the sample uses the distinct file installation
directory “AdobelmdyU”. 

Registry Key 

Data 

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AdobelmdyU 

 

  

"C:\ProgramData\Adobe\AdobelmdyU\Adobelm.exe" 402 

Figure 2: PlugX malware Registry Key established for malware persistence. 


CONSISTENT TA416 TOOLS 

The PlugX malware payload, unlike the Golang loader variant, seems to remain
consistent when compared with previous versions.  

 * Historical analysis conducted by Avira and Recorded Future has documented
   that the encrypted PlugX payloads, which have been disguised as data and gif
   files, are in fact encrypted PE DLL files. These encrypted files contain a
   hardcoded XOR decryption key that begins at offset x00 and continues until a
   null byte is read.4 In this case the Golang Binary PlugX loader reads the
   encryption key in the same manner from x00 to null byte, with the hardcoded
   key ending at offset x09. This represents continued usage of an anti-analysis
   method which makes the execution of PlugX payloads more complex and
   complicates the detection of command and control infrastructure which the
   malware communicates with. 

 

Hardcoded Decryption Key / Byte Sequence 

66 59 50 6C 79 73 43 46 6C 6B 

Figure 3: PlugX malware XOR decryption key. 

 Figure 4: PlugX malware byte sequence and hardcoded XOR decryption key. 

 * Following decryption, the resulting file reflects a valid PE header for
   the PlugX malware payload. Shellcode appears between the MZ header and the
   DOS message. The function of this shellcode is to write the PE DLL into RWX
   memory and begin execution at the beginning of the file. This establishes an
   entry point for the payload and prevents an entry point not found error when
   executing the malware. This is a common technique observed by many malware
   families and is not exclusive to TA416 PlugX variants. This shellcode is
   unlikely to appear in legitimate software DLLs.Figure 5: PlugX malware byte
   sequence and XOR decryption key.


COMMAND AND CONTROL INFRASTRUCTURE 

The command and control communication observed by these PlugX malware samples
are consistent with previously documented versions. The C2 traffic was
successfully detected by an existing Proofpoint Emerging Threats Suricata
signature for PlugX malware which is publicly available as part of the ET OPEN
public ruleset.5 The following IP and example command and control communication
URLs were identified: 

 * 45.248.87[.]162 

 * hxxp://45.248.87[.]162/756d1598 

 * hxxp://45.248.87[.]162/9f86852b 

Further research regarding the command and control IP indicated that it was
hosted by the Chinese Internet Service Provider Anchnet Asia Limited. It
appeared to be active and in use as a command and control server from at least
August 24, 2020 through September 28, 2020. It is notable that this time period
predates the period of dormancy discussed above that likely resulted from
Recorded Future’s publication on TA416 activity. Additionally, it indicates that
this server ceased being used during this dormancy period possibly indicating an
infrastructure overhaul by actors during this time. 

 Figure 6: RiskIQ data indicating TA416 command and control server’s period of
activity. 


CONCLUSION 

Continued activity by TA416 demonstrates a persistent adversary making
incremental changes to documented toolsets so that they can remain effective in
carrying out espionage campaigns against global targets. The introduction of a
Golang PlugX loader alongside continued encryption efforts for PlugX payloads
suggest that the group may be conscious of increased detection for their tools
and it demonstrates adaptation in response to publications regarding their
campaigns. These tool adjustments combined with recurrent command and control
infrastructure revision suggests that TA416 will persist in their targeting of
diplomatic and religious organizations. While the specifics of the tools and
procedures have evolved it appears their motivation and targeted sectors likely
remain consistent. TA416 continues to embody the persistent aspect of “APT”
actors and Proofpoint analysts expect to continue to detect this activity in the
coming months. 


IOCS 

IOC 

IOC Type 

Description 

930b7a798e3279b7460e30ce2f3a2deccbc252f3ca213cb022f5b7e6a25a0867 

SHA256 

AdobelmdyU.exe                                                     RAR Archive
Containing PlugX  

6a5b0cfdaf402e94f892f66a0f53e347d427be4105ab22c1a9f259238c272b60 

SHA256 

Adobel.exe                                                                   
Self Extracting RAR Archive Containing PlugX  

0459e62c5444896d5be404c559c834ba455fa5cae1689c70fc8c61bc15468681 

SHA256 

Adobelm.exe                                                      Legitimate PE
that loads Golang PlugX Loader 

235752f22f1a21e18e0833fc26e1cdb4834a56ee53ec7acb8a402129329c0cdd 

SHA256 

hex.dll                                                                         
Golang binary PlugX Loader 

e3e3c28f7a96906e6c30f56e8e6b013e42b5113967d6fb054c32885501dfd1b7 

SHA256 

AdobeHelp.exe                                                         Unused PE
File 

afa06df5a2c33dc0bdf80bbe09dade421b3e8b5990a56246e0d7053d5668d917 

SHA256 

adobeupdate.dat                                                     
Encrypted PlugX Payload 

45.248.87[.]162 

C2 IP 

Command and control IP 

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node 

\Microsoft\ Windows\CurrentVersion\Run\AdobelmdyU 

RegKey 

Registry Key that establishes PlugX malware persistence. 

Emerging Threats Signatures  

 * 2018228 - et trojan possible plugx common header struct 

 

References: 

1 Chinese State-Sponsored Group ‘RedDelta’ Targets the Vatican and Catholic
Organizations 

2 Back Despite Disruption: RedDelta Resumes Operations

3 Holy See and China renew Provisional Agreement for 2 years

4 New wave of PlugX targets Hong Kong

5 Emerging Threats Ruleset

 

Previous Blog Post
Next Blog Post

Subscribe to the Proofpoint Blog

*
Business Email:




Select
*
Blog Interest:

AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail
and Cloud ThreatsInformation ProtectionInsider Threat ManagementRemote Workforce
ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight


















Submit


ABOUT

 * Overview
 * Why Proofpoint
 * Careers
 * Leadership Team
 * News Center
 * Nexus Platform
 * Privacy and Trust


THREAT CENTER

 * Threat Hub
 * Cybersecurity Awareness Hub
 * Ransomware Hub
 * Threat Glossary
 * Threat Blog
 * Daily Ruleset


PRODUCTS

 * Email Security & Protection
 * Advanced Threat Protection
 * Security Awareness Training
 * Cloud Security
 * Archive & Compliance
 * Information Protection
 * Digital Risk Protection
 * Product Bundles


RESOURCES

 * White Papers
 * Webinars
 * Data Sheets
 * Events
 * Customer Stories
 * Blog
 * Free Trial


CONNECT

 * +1-408-517-4710
 * Contact Us
 * Office Locations
 * Request a Demo


SUPPORT

 * Support Login
 * Support Services
 * IP Address Blocked?

 * Facebook
 * Twitter
 * linkedin
 * Youtube

 * English (US)
 * English (UK)
 * English (AU)
 * Español
 * Deutsch
 * Français
 * Italiano
 * Português
 * 日本語
 * 한국어

© 2022. All rights reserved. Terms and conditions Privacy Policy Sitemap