An ongoing cyberespionage campaign has been identified using a previously unknown variant of PlugX RAT. The campaign, active since at least August 2021, was associated with the Mustang Panda APT group from China.

Thriving on current trends

According to ESET, the new variant is dubbed Hodur as it resembles another PlugX variant known as THOR. (Hodur was Thor’s half-brother, according to Norse mythology.)
  • The recent campaign employs an attack chain of decoy documents that regularly updates itself for news trends in Europe and the invasion of Ukraine.
  • Its phishing lures include a regional aid map for a European country, updated COVID-19 travel restrictions, and the Regulations of the European Parliament and of the Council.
  • One of its key lures is a genuine document taken from the European Council website.

The infection ends with the deployment of the Hodur backdoor on the targeted Windows systems.

Who are the targets?

  • Most of the victims are located in East and Southeast Asia, along with a few in Europe across multiple countries, including Greece, Cyprus, and Russia. 
  • Another targeted region is Africa, which included multiple countries such as South Africa and South Sudan.
  • Targeted sectors are research entities, ISPs, and European diplomatic missions located in East/Southeast Asia.

About Hodur 

The recently discovered Hodur variant is based on Korplug (aka PlugX), which is used by multiple APT groups. 
  • The RAT feature of the variant used in the recent campaign mostly lines up with other Korplug variants. However, Hodur has some additional commands and characteristics.
  • It can handle different commands, enabling the implant to collect extensive system details, execute commands, read and write arbitrary files, and launch remote cmd[.]exe sessions.


Mustang Panda is quick to adopt current affairs as lures. With Hodur malware, the threat group is actively improving its tools and techniques. Thus, organizations need to have in-depth and multi-layered security infrastructure for better protection.
Cyware Publisher