article featured image


The Korplug RAT (also known as PlugX) is a spyware that has previously been associated with Chinese APT organizations and has been linked to targeted assaults on significant institutions in a number of different countries.

The RAT functionality of the variation utilized in the most recent campaign is mostly consistent with the RAT feature of prior Korplug variants.

Hodur has a few more commands and properties and as a result, it may gather vast system information while also running commands and reading and writing arbitrary files, as well as launching remote cmd[.]exe sessions.

What Happened?

An ongoing cyberespionage effort using a previously undisclosed variation of the PlugX remote access tool (RAT) has been detected. The new PlugX version was given the name Hodur by ESET researchers because it resembled another PlugX variation known as THOR.

ESET Research discovered a still-ongoing cyberespionage campaign using a previously undocumented Korplug variant by the Mustang Panda APT group. This is the third time in as many weeks that ESET researchers have spotted previously unknown data wiping malware taking aim at Ukrainian organizations.

The current campaign exploits the war in Ukraine and other European news topics. Known victims include research entities, internet service providers (ISPs), and European diplomatic missions mostly located in East and Southeast Asia. ESET researchers named this new Korplug variant Hodur due to its resemblance to the THOR variant documented in 2020. In Norse mythology, Hodur is Thor’s blind half-brother.

Victims of this campaign are likely lured with phishing documents abusing the latest events in Europe such as Russia’s invasion of Ukraine. This has resulted in more than three million residents fleeing the war to neighboring countries according to the UNHCR, leading to an unprecedented crisis on Ukraine’s borders. One of the filenames related to this campaign is “Situation at the EU borders with Ukraine.exe”.


During the most recent campaign, fake papers were used in an attack chain that was constantly updated to keep up with news trends in Europe and the Russian invasion of Ukraine.

This malware’s phishing lures include a regional assistance map for a European nation, an updated COVID-19 travel restriction list, as well as European Parliament and Council regulations.

It’s interesting to note that in particular, a real document obtained from the European Council website serves as one of its primary attractions.

The infection results in the installation of the Hodur backdoor on the targeted Windows computers.

The majority of the victims are situated in East and Southeast Asia,  South Africa, and the Republic of the Congo, and the targeted industries include academic institutions, Internet service providers, and European diplomatic posts in East and Southeast Asia.

If you liked this article, follow us on LinkedInTwitterFacebookYoutube, and Instagram for more cybersecurity news and topics.

Author Profile

Dora Tudor

Cyber Security Enthusiast

linkedin icon

Dora is a digital marketing specialist within Heimdal™ Security. She is a content creator at heart - always curious about technology and passionate about finding out everything there is to know about cybersecurity.