Home
Glossary
PlugX worm
Table of content
5 min
H2 title on one or more lines.
Share
Updated on
June 22, 2026

PlugX worm

PlugX worm is a variant of the PlugX remote access trojan with self-propagation capabilities, allowing it to spread automatically across systems, notably via USB devices, in cyber-espionage campaigns.

PlugX is a malware that belongs to the Remote Access Trojans (RAT) family.
It was first discovered in 2008 and has been used ever since in cyber-espionage campaigns.
Many APT groups (Advanced Persistent Threats) from Asia rely on it.
With its stealth and persistence, PlugX enables attackers to keep long-term access to targeted networks.

How does PlugX work?

Unlike opportunistic malware, PlugX is deployed in targeted attacks.
Victims often include government agencies, defense contractors, or critical infrastructure operators.
Once installed, PlugX can:

  • Execute remote commands.
  • Steal files and sensitive information.
  • Install additional malicious software.
  • Abuse legitimate Windows processes through DLL side-loading to evade detection.

Some variants include a worm component.
They can spread automatically through infected USB drives, which makes containment harder.

PlugX vs generic RATs

Many RATs provide remote control, but PlugX stands out.
Its modular architecture and advanced persistence techniques make it more resilient.
In addition, its operators often rotate their C2 (Command-and-Control) servers, use encryption, and hide inside trusted applications.

Case study: the 2023 cleanup campaign

In September 2023, the Threat Detection & Response (TDR) team at Sekoia.io joined an international operation.
The goal was to dismantle part of the PlugX infrastructure.
By taking control of one C2 IP address, analysts conducted a sinkholing operation.
This action helped remotely clean thousands of infected machines worldwide.
With the support of law enforcement, this initiative showed how active defense can disrupt long-standing APT tools.

PlugX and Sekoia.io’s approach

At Sekoia.io, fighting PlugX is part of our mission.
We help SOC and CTI teams detect, contain, and stop this threat.
Our XDR platform integrates Indicators of Compromise (IoCs) and SIGMA rules that are constantly updated.
In addition, our automated playbooks allow security teams to respond quickly and contain infections.

Related terms

  • RAT (Remote Access Trojan)
  • APT (Advanced Persistent Threat)
  • DLL side-loading

Read our latest blog articles

Product News
June 23, 2026

Sekoia’s new identity: Designed for clarity

Sekoia has partnered with branding agency Bruno to develop a new brand identity and digital experience that reflects who we really are.

By
Sekoia Team
View more
Threat Research & Intelligence
TDR
June 11, 2026

APT28, an evolution of tradecraft

Sekoia TDR looks back at how APT28's arsenal has evolved over two decades, from its signature X-Agent implants to disposable modules, edge-device infrastructure and the first LLM-driven malware.

By
Amaury-Jacques GARCON
By
Threat Detection & Research Team
View more
Threat Research & Intelligence
TDR
June 16, 2026

Unveiling ErrTraffic: inside a growing ClickFix malware distribution framework

This report details the ErrTraffic threat and its associated ecosystem, highlighting three specific campaigns and their operators' arsenal.

By
Jérémy SCION
By
Quentin BOURGUE
By
Threat Detection & Research Team
View more