China-Linked PlugX and Bookworm Malware Targeting Telecom and Manufacturing Sectors in Asia

28 Sep 2025

PlugXKorplugSOGURainyDayTurianBookwormChinaAPTDLLside-loadingtelecommunicationsmanufacturingASEANcybersecuritymalwarethreatintelligencecriticalinfrastructureespionagegeopoliticalnetworksegmentationhuntingindicatorsofcompromiseIOCs

A new campaign distributing a variant of the PlugX malware (also known as Korplug or SOGU) is targeting telecommunications and manufacturing sectors in Central and South Asia, as well as ASEAN networks. This variant shares similarities with the RainyDay and Turian backdoors, particularly in its abuse of legitimate applications for DLL side-loading. The campaign is linked to China and involves another malware called Bookworm. The use of DLL side-loading techniques makes detection challenging, as malicious code is executed by trusted processes. This campaign highlights the evolving tactics of threat actors and underscores the need for robust cybersecurity measures in critical infrastructure sectors. Organizations in the targeted regions should enhance their monitoring for signs of DLL side-loading and update their threat intelligence feeds with the latest indicators of compromise (IOCs) for PlugX and Bookworm. Network segmentation and regular threat hunting exercises are recommended to mitigate the risk of compromise. The broader regional focus suggests geopolitical motivations, and organizations should be prepared for advanced persistent threats (APTs) with long-term objectives.