AlienVault IDs PlugX RAT Developer

In a recent blog post, AlienVault researcher Jaime Blasco identified a man in China who appears to be the developer of the new PlugX remote access Trojan (RAT).

“AlienVault has been tracking PlugX, also known as Korplug, for the past few months, analysing the payloads of the attacks and collecting intelligence,” writes TechWeekEurope’s Max Smolaks. “PlugX is a backdoor malware with a high damage potential. Once on the system, it executes commands from a remote malicious user, effectively compromising the affected computer. The tool was mainly used by hackers in Japan, Taiwan, China, Korea and against Tibetan organizations.”

“After analyzing some of the debug paths used in the PlugX Trojan, researchers noticed that some of them contained a username: whg,” writes Softpedia’s Eduard Kovacs. “Similar debug paths have been identified in the binaries of an application called SockMon. A search on … led investigators to the email address, which back in 2000 was utilized to register a domain. The physical address associated with the domain is the one of a security company from China. Finally, a different search for whg0001 pointed experts to the CSDN profile of an individual who describes himself as a ‘virus expert, proficient in assembly.'”

“On they even found a photo of whg0001,” Infosecurity reports. “Finally, AlienVault found another PlugX debug path pointing to a page ‘that seems to be used as a test or to check connectivity;’ but displaying the same photo of whg0001 that they had found on ‘With the information we have, we can say that this guy is behind the active development of the PlugX RAT,’ concludes AlienVault. We now have his email address and his photograph — his real name will surely follow.”

Jeff Goldman
Jeff Goldman
Jeff Goldman has been a technology journalist for more than 20 years and an eSecurity Planet contributor since 2009.

Top Products

Related articles