www.proofpoint.com
Open in
urlscan Pro
2a02:e980:107::cf
Public Scan
URL:
https://www.proofpoint.com/us/blog/threat-insight/ta416-goes-ground-and-returns-golang-plugx-malware-loader
Submission: On September 29 via api from DE — Scanned from DE
Submission: On September 29 via api from DE — Scanned from DE
Form analysis
3 forms found in the DOM/us
<form action="/us" data-region="us" data-language="en">
<input type="text" name="search_block_form" placeholder="Search">
<input type="submit">
</form>
<form id="mktoForm_10895" data-mkto-id="10895" data-mkto-base="//app-abj.marketo.com" data-munchkin-id="309-RHV-619" data-submit-text="" data-redirect-link="" data-prefill="" data-event-label=""
class="mk-form__form marketo-form-block__form mktoForm mktoHasWidth mktoLayoutLeft js-visible mkto-form-processed" novalidate="novalidate" style="font-family: inherit; font-size: 16px; color: rgb(51, 51, 51); width: 1601px;">
<style type="text/css"></style>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoOffset" style="width: 5px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 150px;">
<div class="mktoAsterix">*</div>Business Email:
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><input id="Email" name="Email" placeholder="Business Email *" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email"
class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true" style="width: 200px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoFieldWrap mk-form__checkbox-field">
<div class="blog-subscribe__select-box">Select</div><label for="blogInterest" id="LblblogInterest" class="mktoLabel mktoHasWidth mk-form__checkbox-label" style="width: 150px;">
<div class="mktoAsterix">*</div>Blog Interest:
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div>
<div class="mktoLogicalField mktoCheckboxList mktoHasWidth" style="width: 200px;"><input name="blogInterest" id="mktoCheckbox_182285_0" type="checkbox" value="All"
aria-labelledby="LblblogInterest LblmktoCheckbox_182285_0 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_182285_0" id="LblmktoCheckbox_182285_0">All</label><input name="blogInterest" id="mktoCheckbox_182285_1" type="checkbox" value="Archiving and Compliance"
aria-labelledby="LblblogInterest LblmktoCheckbox_182285_1 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_182285_1" id="LblmktoCheckbox_182285_1">Archiving and Compliance</label><input name="blogInterest" id="mktoCheckbox_182285_2" type="checkbox" value="CISO Perspectives"
aria-labelledby="LblblogInterest LblmktoCheckbox_182285_2 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_182285_2" id="LblmktoCheckbox_182285_2">CISO Perspectives</label><input name="blogInterest" id="mktoCheckbox_182285_3" type="checkbox" value="Cloud Security"
aria-labelledby="LblblogInterest LblmktoCheckbox_182285_3 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_182285_3" id="LblmktoCheckbox_182285_3">Cloud Security</label><input name="blogInterest" id="mktoCheckbox_182285_4" type="checkbox" value="Corporate News"
aria-labelledby="LblblogInterest LblmktoCheckbox_182285_4 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_182285_4" id="LblmktoCheckbox_182285_4">Corporate News</label><input name="blogInterest" id="mktoCheckbox_182285_5" type="checkbox" value="Email and Cloud Threats"
aria-labelledby="LblblogInterest LblmktoCheckbox_182285_5 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_182285_5" id="LblmktoCheckbox_182285_5">Email and Cloud Threats</label><input name="blogInterest" id="mktoCheckbox_182285_6" type="checkbox" value="Information Protection"
aria-labelledby="LblblogInterest LblmktoCheckbox_182285_6 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_182285_6" id="LblmktoCheckbox_182285_6">Information Protection</label><input name="blogInterest" id="mktoCheckbox_182285_7" type="checkbox" value="Insider Threat Management"
aria-labelledby="LblblogInterest LblmktoCheckbox_182285_7 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_182285_7" id="LblmktoCheckbox_182285_7">Insider Threat Management</label><input name="blogInterest" id="mktoCheckbox_182285_8" type="checkbox" value="Remote Workforce Protection"
aria-labelledby="LblblogInterest LblmktoCheckbox_182285_8 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_182285_8" id="LblmktoCheckbox_182285_8">Remote Workforce Protection</label><input name="blogInterest" id="mktoCheckbox_182285_9" type="checkbox" value="Security Awareness Training"
aria-labelledby="LblblogInterest LblmktoCheckbox_182285_9 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_182285_9" id="LblmktoCheckbox_182285_9">Security Awareness Training</label><input name="blogInterest" id="mktoCheckbox_182285_10" type="checkbox" value="Security Briefs"
aria-labelledby="LblblogInterest LblmktoCheckbox_182285_10 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_182285_10" id="LblmktoCheckbox_182285_10">Security Briefs</label><input name="blogInterest" id="mktoCheckbox_182285_11" type="checkbox" value="Threat Insight"
aria-labelledby="LblblogInterest LblmktoCheckbox_182285_11 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_182285_11" id="LblmktoCheckbox_182285_11">Threat Insight</label></div><span id="InstructblogInterest" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Employees_Picklist__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="State" class="mktoField mktoFieldDescriptor mktoFormCol" value="State/Province" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Most_Recent_Medium__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="Website" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Most_Recent_Medium_Detail__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="www-pfpt" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Industry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Website" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="AnnualRevenue" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbasesid" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandBase_Data_Source" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Primary_Product_Interest__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="UTM_Post_ID__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="utmcampaign" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="utmterm" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="db_employee_count" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Unsubscribed" class="mktoField mktoFieldDescriptor mktoFormCol" value="0" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoNative" style="margin-left: 110px;"><button type="submit" class="mktoButton">Submit</button></span></div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor"
value="10895" placeholder=""><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="309-RHV-619" placeholder=""><input type="hidden" name="Website_Conversion_URL__c" class="mktoField mktoFieldDescriptor"
value="https://www.proofpoint.com/us/blog/threat-insight/ta416-goes-ground-and-returns-golang-plugx-malware-loader"><input type="hidden" name="gAClientID" class="mktoField mktoFieldDescriptor" value="545235094.1664483307">
</form>
<form data-mkto-id="10895" data-mkto-base="//app-abj.marketo.com" data-munchkin-id="309-RHV-619" data-submit-text="" data-redirect-link="" data-prefill="" data-event-label=""
class="mk-form__form marketo-form-block__form mktoForm mktoHasWidth mktoLayoutLeft" novalidate="novalidate"
style="font-family: inherit; font-size: 16px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;"></form>
Text Content
Skip to main content Products Solutions Partners Resources Company ContactLanguages Support Log-in Digital Risk Portal Email Fraud Defense ET Intelligence Proofpoint Essentials Sendmail Support Log-in Main Menu EMAIL SECURITY AND PROTECTION Defend against threats, ensure business continuity, and implement email policies. ADVANCED THREAT PROTECTION Protect against email, mobile, social and desktop threats. SECURITY AWARENESS TRAINING Engage your users and turn them into a strong line of defense against phishing and other cyber attacks. CLOUD SECURITY Defend against threats, protect your data, and secure access. COMPLIANCE AND ARCHIVING Reduce risk, control costs and improve data visibility to ensure compliance. INFORMATION PROTECTION Protect from data loss by negligent, compromised, and malicious users. DIGITAL RISK PROTECTION Protect against digital security risks across web domains, social media and the deep and dark web. PREMIUM SECURITY SERVICES Get deeper insight with on-call, personalized assistance from our expert team. RANSOMWARE HUB Stop ransomware in its tracks with the free research and resources in our Ransomware Hub. Learn More SOLUTIONS BY TOPIC COMBAT EMAIL AND CLOUD THREATS Protect your people from email and cloud threats with an intelligent and holistic approach. CHANGE USER BEHAVIOR Help your employees identify, resist and report attacks before the damage is done. COMBAT DATA LOSS AND INSIDER RISK Prevent data loss via negligent, compromised and malicious insiders by correlating content, behavior and threats. MODERNIZE COMPLIANCE AND ARCHIVING Manage risk and data retention needs with a modern compliance and archiving solution. PROTECT CLOUD APPS Keep your people and their cloud apps secure by eliminating threats, avoiding data loss and mitigating compliance risk. PREVENT LOSS FROM RANSOMWARE Learn about this growing threat and stop attacks by securing today’s top ransomware vector: email. SECURE MICROSOFT 365 Implement the very best security and compliance solution for your Microsoft 365 collaboration suite. DEFEND YOUR REMOTE WORKFORCE WITH CLOUD EDGE Secure access to corporate resources and ensure business continuity for your remote workers. WHY PROOFPOINT Today’s cyber attacks target people. Learn about our unique people-centric approach to protection. SOLUTIONS BY INDUSTRY Federal Government State and Local Government Higher Education Financial Services Healthcare Mobile Operators Internet Service Providers Small and Medium Businesses PARTNER PROGRAMS CHANNEL PARTNERS Become a channel partner. Deliver Proofpoint solutions to your customers and grow your business. ARCHIVE EXTRACTION PARTNERS Learn about the benefits of becoming a Proofpoint Extraction Partner. GLOBAL SYSTEM INTEGRATOR (GSI) AND MANAGED SERVICE PROVIDER (MSP) PARTNERS Learn about our global consulting and services partners that deliver fully managed and integrated solutions. TECHNOLOGY AND ALLIANCE PARTNERS Learn about our relationships with industry-leading firms to help protect your people, data and brand. SOCIAL MEDIA PROTECTION PARTNERS Learn about the technology and alliance partners in our Social Media Protection Partner program. PROOFPOINT ESSENTIALS PARTNER PROGRAMS Small Business Solutions for channel partners and MSPs. PARTNER TOOLS Become a Channel Partner Channel Partner Portal RESOURCE LIBRARY Find the information you're looking for in our library of videos, data sheets, white papers and more. BLOG Keep up with the latest news and happenings in the ever‑evolving cybersecurity landscape. PODCASTS Learn about the human side of cybersecurity. Episodes feature insights from experts and executives. THREAT GLOSSARY Learn about the latest security threats and how to protect your people, data, and brand. EVENTS Connect with us at events to learn how to protect your people and data from ever‑evolving threats. CUSTOMER STORIES Read how Proofpoint customers around the globe solve their most pressing cybersecurity challenges. WEBINARS Browse our webinar library to learn about the latest threats, trends and issues in cybersecurity. Watch now to earn your CPE credits SECURITY HUBS Get free research and resources to help you protect against threats, build a security culture, and stop ransomware in its tracks. Threat Hub CISO Hub Cybersecurity Awareness Hub Ransomware Hub Insider Threat Management Hub ABOUT PROOFPOINT Proofpoint is a leading cybersecurity company that protects organizations' greatest assets and biggest risks: their people. WHY PROOFPOINT Today’s cyber attacks target people. Learn about our unique people-centric approach to protection. CAREERS Stand out and make a difference at one of the world's leading cybersecurity companies. NEWS CENTER Read the latest press releases, news stories and media highlights about Proofpoint. PRIVACY AND TRUST Learn about how we handle data and make commitments to privacy and other regulations. ENVIRONMENTAL, SOCIAL, AND GOVERNANCE Learn about our people-centric principles and how we implement them to positively impact our global community. SUPPORT Access the full range of Proofpoint support services. Learn More English (US) English (UK) English (AU) Español Deutsch Français Italiano Português 日本語 한국어 Products Overview Email Protection Email Fraud Defense Secure Email Relay Threat Response Auto-Pull Sendmail Open Source Essentials for Small Business Overview Targeted Attack Protection in Email Email Isolation Threat Response Emerging Threats Intelligence Overview Assess Change Behavior Evaluate Overview Browser Isolation Cloud Account Defense Cloud App Security Broker Web Security Overview Automate Capture Patrol Track Archive Discover Supervision Overview Enterprise Data Loss Prevention (DLP) Insider Threat Management Intelligent Classification and Protection Endpoint Data Loss Prevention (DLP) Email Data Loss Prevention (DLP) Email Encryption Data Discover Overview Social Media Protection Domain Fraud Monitoring Executive and Location Threat Monitoring Overview Technical Account Managers Proofpoint Threat Information Services Managed Services for Security Awareness Training People-Centric Security Program Managed Email Security Managed Services for Information Protection Insider Threat Management Services Compliance and Archiving Services Consultative Services Products Solutions Partners Resources Company English (US) English (UK) English (AU) Español Deutsch Français Italiano Português 日本語 한국어 Login Support Log-in Digital Risk Portal Email Fraud Defense ET Intelligence Proofpoint Essentials Sendmail Support Log-in Contact EMAIL SECURITY AND PROTECTION Defend against threats, ensure business continuity, and implement email policies. ADVANCED THREAT PROTECTION Protect against email, mobile, social and desktop threats. SECURITY AWARENESS TRAINING Engage your users and turn them into a strong line of defense against phishing and other cyber attacks. CLOUD SECURITY Defend against threats, protect your data, and secure access. COMPLIANCE AND ARCHIVING Reduce risk, control costs and improve data visibility to ensure compliance. INFORMATION PROTECTION Protect from data loss by negligent, compromised, and malicious users. DIGITAL RISK PROTECTION Protect against digital security risks across web domains, social media and the deep and dark web. PREMIUM SECURITY SERVICES Get deeper insight with on-call, personalized assistance from our expert team. Overview Email Protection Email Fraud Defense Secure Email Relay Threat Response Auto-Pull Sendmail Open Source Essentials for Small Business Overview Targeted Attack Protection in Email Email Isolation Threat Response Emerging Threats Intelligence Overview Assess Change Behavior Evaluate Overview Browser Isolation Cloud Account Defense Cloud App Security Broker Web Security Overview Automate Capture Patrol Track Archive Discover Supervision Overview Enterprise Data Loss Prevention (DLP) Insider Threat Management Intelligent Classification and Protection Endpoint Data Loss Prevention (DLP) Email Data Loss Prevention (DLP) Email Encryption Data Discover Overview Social Media Protection Domain Fraud Monitoring Executive and Location Threat Monitoring Overview Technical Account Managers Proofpoint Threat Information Services Managed Services for Security Awareness Training People-Centric Security Program Managed Email Security Managed Services for Information Protection Insider Threat Management Services Compliance and Archiving Services Consultative Services RANSOMWARE HUB Stop ransomware in its tracks with the free research and resources in our Ransomware Hub. Learn More SOLUTIONS BY TOPIC COMBAT EMAIL AND CLOUD THREATS Protect your people from email and cloud threats with an intelligent and holistic approach. CHANGE USER BEHAVIOR Help your employees identify, resist and report attacks before the damage is done. COMBAT DATA LOSS AND INSIDER RISK Prevent data loss via negligent, compromised and malicious insiders by correlating content, behavior and threats. MODERNIZE COMPLIANCE AND ARCHIVING Manage risk and data retention needs with a modern compliance and archiving solution. PROTECT CLOUD APPS Keep your people and their cloud apps secure by eliminating threats, avoiding data loss and mitigating compliance risk. PREVENT LOSS FROM RANSOMWARE Learn about this growing threat and stop attacks by securing today’s top ransomware vector: email. SECURE MICROSOFT 365 Implement the very best security and compliance solution for your Microsoft 365 collaboration suite. DEFEND YOUR REMOTE WORKFORCE WITH CLOUD EDGE Secure access to corporate resources and ensure business continuity for your remote workers. WHY PROOFPOINT Today’s cyber attacks target people. Learn about our unique people-centric approach to protection. SOLUTIONS BY INDUSTRY Federal Government State and Local Government Higher Education Financial Services Healthcare Mobile Operators Internet Service Providers Small and Medium Businesses PARTNER PROGRAMS CHANNEL PARTNERS Become a channel partner. Deliver Proofpoint solutions to your customers and grow your business. ARCHIVE EXTRACTION PARTNERS Learn about the benefits of becoming a Proofpoint Extraction Partner. GLOBAL SYSTEM INTEGRATOR (GSI) AND MANAGED SERVICE PROVIDER (MSP) PARTNERS Learn about our global consulting and services partners that deliver fully managed and integrated solutions. TECHNOLOGY AND ALLIANCE PARTNERS Learn about our relationships with industry-leading firms to help protect your people, data and brand. SOCIAL MEDIA PROTECTION PARTNERS Learn about the technology and alliance partners in our Social Media Protection Partner program. PROOFPOINT ESSENTIALS PARTNER PROGRAMS Small Business Solutions for channel partners and MSPs. PARTNER TOOLS Become a Channel Partner Channel Partner Portal RESOURCE LIBRARY Find the information you're looking for in our library of videos, data sheets, white papers and more. BLOG Keep up with the latest news and happenings in the ever‑evolving cybersecurity landscape. PODCASTS Learn about the human side of cybersecurity. Episodes feature insights from experts and executives. THREAT GLOSSARY Learn about the latest security threats and how to protect your people, data, and brand. EVENTS Connect with us at events to learn how to protect your people and data from ever‑evolving threats. CUSTOMER STORIES Read how Proofpoint customers around the globe solve their most pressing cybersecurity challenges. WEBINARS Browse our webinar library to learn about the latest threats, trends and issues in cybersecurity. Watch now to earn your CPE credits SECURITY HUBS Get free research and resources to help you protect against threats, build a security culture, and stop ransomware in its tracks. Threat Hub CISO Hub Cybersecurity Awareness Hub Ransomware Hub Insider Threat Management Hub ABOUT PROOFPOINT Proofpoint is a leading cybersecurity company that protects organizations' greatest assets and biggest risks: their people. WHY PROOFPOINT Today’s cyber attacks target people. Learn about our unique people-centric approach to protection. CAREERS Stand out and make a difference at one of the world's leading cybersecurity companies. NEWS CENTER Read the latest press releases, news stories and media highlights about Proofpoint. PRIVACY AND TRUST Learn about how we handle data and make commitments to privacy and other regulations. ENVIRONMENTAL, SOCIAL, AND GOVERNANCE Learn about our people-centric principles and how we implement them to positively impact our global community. SUPPORT Access the full range of Proofpoint support services. Learn More Zeigen Sie weiterhin Inhalte für Ihren Standort an United StatesUnited KingdomFranceDeutschlandEspaña日本AustraliaItaliaFortsetzen Blog Threat Insight TA416 Goes to Ground and Returns with a Golang PlugX Malware Loader TA416 GOES TO GROUND AND RETURNS WITH A GOLANG PLUGX MALWARE LOADER Share with your network! Facebook Twitter LinkedIn Email App November 23, 2020 The Proofpoint Threat Research Team EXECUTIVE SUMMARY Following the Chinese National Day holiday in September, Proofpoint researchers observed a resumption of activity by the APT actor TA416. Historic campaigns by this actor have also been publicly attributed to “Mustang Panda” and “RedDelta”. This new activity appears to be a continuation of previously reported campaigns that have targeted entities associated with diplomatic relations between the Vatican and the Chinese Communist Party, as well as entities in Myanmar. The targeting of organizations conducting diplomacy in Africa has also been observed. Proofpoint researchers have identified updates to the actor’s toolset which is used to deliver PlugX malware payloads. Specifically, researchers identified a new Golang variant of TA416’s PlugX malware loader and identified consistent usage of PlugX malware in targeted campaigns. As this group continues to be publicly reported on by security researchers, they exemplify a persistence in the modification of their toolset to frustrate analysis and evade detection. While baseline changes to their payloads do not greatly increase the difficulty of attributing TA416 campaigns, they do make automated detection and execution of malware components independent from the infection chain more challenging for researchers. This may represent efforts by the group to continue their pursuit of espionage objectives while maintaining an embattled toolset and staying out of the daily Twitter conversation popular amongst threat researchers. RENEWED PHISHING ACTIVITY After nearly a month of inactivity following publications by threat researchers, Proofpoint analysts have identified limited signs of renewed phishing activity that can be attributed to the Chinese APT group TA416 (also referred to as Mustang Panda and RedDelta) 1. Recorded Future researchers have previously noted historic periods of dormancy following disclosure of TA416’s targeted campaigns.2 This most recent period of inactivity encompassed September 16, 2020 through October 10, 2020. Notably this time period included the Chinese National holiday referred to as National Day and the following unofficial vacation period “Golden Week”. The resumption of phishing activity by TA416 included a continued use of social engineering lures referencing the provisional agreement recently renewed between the Vatican Holy See and the Chinese Communist Party “CCP”.3 Additionally, spoofed email header from fields were observed that appear to imitate journalists from the Union of Catholic Asia News. This confluence of themed social engineering content suggests a continued focus on matters pertaining to the evolving relationship between the Catholic Church and the “CCP”. PLUGX MALWARE ANALYSIS Proofpoint researchers identified two RAR archives which serve as PlugX malware droppers. One of these files was found to be a self-extracting RAR archive. For the purposes of this analysis the self-extracting archive file AdobelmdyU.exe|930b7a798e3279b7460e30ce2f3a2deccbc252f3ca213cb022f5b7e6a25a0867 was examined. The initial delivery vector for these RAR archives could not be identified. However, historically TA416 has been observed including Google Drive and Dropbox URLs within phishing emails that deliver archives containing PlugX malware and related components. Once the RAR archive is extracted four files are installed on the host and the portable executable Adobelm.exe is executed. The installed files include: * Adobelm.exe|0459e62c5444896d5be404c559c834ba455fa5cae1689c70fc8c61bc15468681 A legitimate Adobe executable used in the DLL Side-Loading of Hex.dll. * Adobehelp.exe|e3e3c28f7a96906e6c30f56e8e6b013e42b5113967d6fb054c32885501dfd1b7 An unused binary that has been previously observed in malicious RAR archives linked to TA416. * hex.dll|235752f22f1a21e18e0833fc26e1cdb4834a56ee53ec7acb8a402129329c0cdd A Golang binary which decrypts and loads adobeupdate.dat (the PlugX payload). * adobeupdate.dat|afa06df5a2c33dc0bdf80bbe09dade421b3e8b5990a56246e0d7053d5668d91 The encrypted PlugX malware payload. Figure 1: PlugX Malware Execution Diagram Following RAR extraction, Adobelm.exe, a legitimate PE that is used for the DLL side-loading of hex.dll, is executed. It calls a PE export function of hex.dll named CEFProcessForkHandlerEx. Historically, TA416 campaigns have used the file name hex.dll and the same PE export name to achieve DLL side-loading for a Microsoft Windows PE DLL. These files served as loaders and decryptors of encrypted PlugX malware payloads. The file would read, load, decrypt, and execute the PlugX malware payload (regularly named adobeupdate.dat, as it is in this case). The PlugX malware loader found in this case was identified as a Golang binary. Proofpoint has not previously observed this file type in use by TA416. Both identified RAR archives were found to drop the same encrypted PlugX malware file and Golang loader samples. The Golang loader has a compilation creation time that dates it to June 24, 2020. However, the command and control infrastructure discussed later in this posting suggests that the PlugX malware payload and Golang loader variant were used after August 24, 2020. Despite the file type of the PlugX loader changing, the functionality remains largely the same. It reads the file adobeupdate.dat, retrieves the XOR key beginning at offset x00 and continues until it reads a null byte. It then decrypts the payload, and finally executes the decrypted adobeupdate.dat. This results in the execution of the PlugX malware payload which ultimately calls out to the command and control IP 45.248.87[.]162. The following registry key is also created during this process which runs at startup establishing the malware’s persistence. Notably the sample uses the distinct file installation directory “AdobelmdyU”. Registry Key Data HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AdobelmdyU "C:\ProgramData\Adobe\AdobelmdyU\Adobelm.exe" 402 Figure 2: PlugX malware Registry Key established for malware persistence. CONSISTENT TA416 TOOLS The PlugX malware payload, unlike the Golang loader variant, seems to remain consistent when compared with previous versions. * Historical analysis conducted by Avira and Recorded Future has documented that the encrypted PlugX payloads, which have been disguised as data and gif files, are in fact encrypted PE DLL files. These encrypted files contain a hardcoded XOR decryption key that begins at offset x00 and continues until a null byte is read.4 In this case the Golang Binary PlugX loader reads the encryption key in the same manner from x00 to null byte, with the hardcoded key ending at offset x09. This represents continued usage of an anti-analysis method which makes the execution of PlugX payloads more complex and complicates the detection of command and control infrastructure which the malware communicates with. Hardcoded Decryption Key / Byte Sequence 66 59 50 6C 79 73 43 46 6C 6B Figure 3: PlugX malware XOR decryption key. Figure 4: PlugX malware byte sequence and hardcoded XOR decryption key. * Following decryption, the resulting file reflects a valid PE header for the PlugX malware payload. Shellcode appears between the MZ header and the DOS message. The function of this shellcode is to write the PE DLL into RWX memory and begin execution at the beginning of the file. This establishes an entry point for the payload and prevents an entry point not found error when executing the malware. This is a common technique observed by many malware families and is not exclusive to TA416 PlugX variants. This shellcode is unlikely to appear in legitimate software DLLs.Figure 5: PlugX malware byte sequence and XOR decryption key. COMMAND AND CONTROL INFRASTRUCTURE The command and control communication observed by these PlugX malware samples are consistent with previously documented versions. The C2 traffic was successfully detected by an existing Proofpoint Emerging Threats Suricata signature for PlugX malware which is publicly available as part of the ET OPEN public ruleset.5 The following IP and example command and control communication URLs were identified: * 45.248.87[.]162 * hxxp://45.248.87[.]162/756d1598 * hxxp://45.248.87[.]162/9f86852b Further research regarding the command and control IP indicated that it was hosted by the Chinese Internet Service Provider Anchnet Asia Limited. It appeared to be active and in use as a command and control server from at least August 24, 2020 through September 28, 2020. It is notable that this time period predates the period of dormancy discussed above that likely resulted from Recorded Future’s publication on TA416 activity. Additionally, it indicates that this server ceased being used during this dormancy period possibly indicating an infrastructure overhaul by actors during this time. Figure 6: RiskIQ data indicating TA416 command and control server’s period of activity. CONCLUSION Continued activity by TA416 demonstrates a persistent adversary making incremental changes to documented toolsets so that they can remain effective in carrying out espionage campaigns against global targets. The introduction of a Golang PlugX loader alongside continued encryption efforts for PlugX payloads suggest that the group may be conscious of increased detection for their tools and it demonstrates adaptation in response to publications regarding their campaigns. These tool adjustments combined with recurrent command and control infrastructure revision suggests that TA416 will persist in their targeting of diplomatic and religious organizations. While the specifics of the tools and procedures have evolved it appears their motivation and targeted sectors likely remain consistent. TA416 continues to embody the persistent aspect of “APT” actors and Proofpoint analysts expect to continue to detect this activity in the coming months. IOCS IOC IOC Type Description 930b7a798e3279b7460e30ce2f3a2deccbc252f3ca213cb022f5b7e6a25a0867 SHA256 AdobelmdyU.exe RAR Archive Containing PlugX 6a5b0cfdaf402e94f892f66a0f53e347d427be4105ab22c1a9f259238c272b60 SHA256 Adobel.exe Self Extracting RAR Archive Containing PlugX 0459e62c5444896d5be404c559c834ba455fa5cae1689c70fc8c61bc15468681 SHA256 Adobelm.exe Legitimate PE that loads Golang PlugX Loader 235752f22f1a21e18e0833fc26e1cdb4834a56ee53ec7acb8a402129329c0cdd SHA256 hex.dll Golang binary PlugX Loader e3e3c28f7a96906e6c30f56e8e6b013e42b5113967d6fb054c32885501dfd1b7 SHA256 AdobeHelp.exe Unused PE File afa06df5a2c33dc0bdf80bbe09dade421b3e8b5990a56246e0d7053d5668d917 SHA256 adobeupdate.dat Encrypted PlugX Payload 45.248.87[.]162 C2 IP Command and control IP HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node \Microsoft\ Windows\CurrentVersion\Run\AdobelmdyU RegKey Registry Key that establishes PlugX malware persistence. Emerging Threats Signatures * 2018228 - et trojan possible plugx common header struct References: 1 Chinese State-Sponsored Group ‘RedDelta’ Targets the Vatican and Catholic Organizations 2 Back Despite Disruption: RedDelta Resumes Operations 3 Holy See and China renew Provisional Agreement for 2 years 4 New wave of PlugX targets Hong Kong 5 Emerging Threats Ruleset Previous Blog Post Next Blog Post Subscribe to the Proofpoint Blog * Business Email: Select * Blog Interest: AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight Submit ABOUT * Overview * Why Proofpoint * Careers * Leadership Team * News Center * Nexus Platform * Privacy and Trust THREAT CENTER * Threat Hub * Cybersecurity Awareness Hub * Ransomware Hub * Threat Glossary * Threat Blog * Daily Ruleset PRODUCTS * Email Security & Protection * Advanced Threat Protection * Security Awareness Training * Cloud Security * Archive & Compliance * Information Protection * Digital Risk Protection * Product Bundles RESOURCES * White Papers * Webinars * Data Sheets * Events * Customer Stories * Blog * Free Trial CONNECT * +1-408-517-4710 * Contact Us * Office Locations * Request a Demo SUPPORT * Support Login * Support Services * IP Address Blocked? * Facebook * Twitter * linkedin * Youtube * English (US) * English (UK) * English (AU) * Español * Deutsch * Français * Italiano * Português * 日本語 * 한국어 © 2022. All rights reserved. Terms and conditions Privacy Policy Sitemap