Security researchers have linked various attack campaigns against organizations and ethnic groups in Asia to a single threat actor they believe is likely serving China\u2019s geopolitical interests in the region and is connected to the country\u2019s state-sponsored cyberespionage apparatus. Researchers from security firm Palo Alto Networks have been tracking attack campaigns launched by a group, or several closely connected groups, they\u2019ve dubbed PKPLUG for the past three years. They\u2019ve found links to older attack campaigns reported independently by other companies over the past six years. According to them, this is the first time all these attacks have been tied together under a single threat actor.\u201cWe believe victims lay mainly in and around the Southeast Asia region, particularly Myanmar, Taiwan Vietnam, and Indonesia, and likely also in various other areas in Asia, such as Tibet, Xinjiang, and Mongolia,\u201d the researchers said in a new report released today. \u201cBased on targeting, content in some of the malware and ties to infrastructure previously documented publicly as being linked to Chinese nation-state adversaries, Unit 42 believes with high confidence that PKPLUG has similar origins.\u201dPKPLUG uses a mixed bag of tools and techniquesWhat makes this group stand apart is its use of both off-the-shelf and custom-made malware tools. This includes publicly available Trojan programs like PlugX -- from where the group\u2019s name is derived -- and Poison Ivy. One of PKPLUG\u2019s common tactics is to deliver the PlugX malware inside a ZIP archive that has the \u201cPK\u201d ASCII in its header.The group also makes heavy use of DLL side-loading to execute its malicious payloads. This type of attack occurs when a legitimate program searches for a DLL library by name in various locations, including the current folder, and automatically loads it in memory. If attackers replace the library with a malicious one, the malware will be loaded and executed instead. This decreases the payload\u2019s chance of being detected, since the process that performs the loading is not malicious itself.The group favors spear-phishing emails to deliver their payloads and use social engineering to trick users into opening attachments. However, some limited use of Microsoft Office exploits has also been observed and so has the use of malicious PowerShell scripts.In addition to PlugX and Poison Ivy, PKPLUG has also used a Trojan called 9002 that is only shared by a small subset of attack groups, as well as a custom Windows backdoor that researchers have dubbed Farseer in the past and a malicious Android Trojan called HenBox that masquerades as legitimate applications. HenBox has not been distributed through Google Play, probably because Google Play is blocked in China, so many users there use third-party stores to install apps.HenBox is designed to steal information from devices, including communications from chat and social media apps. It has been designed to target devices made by Xiaomi and their MIUI Android-based firmware.HenBox was observed in PKPLUG attack campaigns against Uyghurs, a Turkic ethnic group that predominantly lives in Xinjiang, an autonomous territory in northwest China. Uyghurs, along with the Tibetan minority, have been frequent targets of Chinese state-sponsored attack campaigns over the years.Geopolitical motives suspected for PKPLUG campaignsAccording to Palo Alto, most of the targets of PKPLUG\u2019s campaigns have had historical conflicts or tensions with the Chinese government over various projects, including the Belt and Road Initiative (BRI), a large China-led infrastructure project that aims to link countries in Asia, Europe and Africa. Competing territorial claims in the South China Sea also remain a source of disputes.\u201cIt\u2019s not entirely clear as to the ultimate objectives of PKPLUG, but installing backdoor Trojan\u00a0implants on victim systems, including mobile devices, infers tracking victims and gathering information is a key goal,\u201d the researchers said.Along with its report, Palo Alto Networks plans to publish what they call an Adversary Playbook, an interactive overview of the group\u2019s campaigns, targeting and attack patterns, complete with tactics, techniques and procedures (TTPs) and indicators of compromise (IoCs). The information is also available for download in STIX 2.0 JSON format so that other organizations can import it into their own systems.\u201cEstablishing a clear picture and understanding about a threat group, or groups, is virtually impossible without total visibility into every one of their attack campaigns,\u201d the researchers said. \u201cBased on this, applying a handle or moniker to a set of related data -- such as network infrastructure, malware behavior, actor TTPs relating to delivery, exfiltration, etc. -- helps us to better understand what it is we\u2019re investigating. Sharing this information -- with a handle, in this case PKPLUG -- especially in a structured, codified manner a la Adversary Playbooks, should allow others to contribute their vantage points and enrich said data until the understanding of a threat group becomes lucid.\u201dWhile this threat actor seems to focus heavily on targets in Southeast Asia, threats rarely stay localized to particular regions, because victims can travel to different countries and have business relationships with multinational organizations. Furthermore, there is typically significant overlap in attack toolsets between various APT groups, especially nation-state ones from the same country who share resources and knowledge.