How RainyDay, Turian and a New PlugX Variant Abuse DLL Search Order Hijacking

    Thursday, September 25, 2025 In: Threat Research Print

    Date: 09/25/2025

    Severity: High

    Summary

    Our team identified an ongoing campaign, active since 2022, targeting telecommunications and manufacturing sectors in Central and South Asia, delivering a new PlugX variant. This variant shares features with both RainyDay and Turian backdoors, including DLL sideloading via legitimate apps and the XOR-RC4-RtlDecompressBuffer encryption technique. Its configuration deviates from standard PlugX formats, instead aligning with RainyDay's structure. This similarity supports a medium-confidence assessment linking the variant to the Naikon threat group. Further analysis of victimology and technical overlap suggests Naikon and BackdoorDiplomacy may be the same group or using tools from a common source.

    Indicators of Compromise (IOC) List

    Domains\URLs :

    asp.asphspes.com

    pay.googleinstall.com

    mailserver.kozow.com

    newsinfom.org

    IP Address : 

    141.164.59.111

    66.42.62.253

    45.114.192.137

    103.9.14.218

    117.254.105.200

    103.136.45.108

    103.172.10.165

    117.239.199.202

    23.254.225.184

    Hash : 

    e29767ffb75be9f363a39ba9b66785ecfc992e3d91ec9fc46515ef94c37dc0b6

    00dbc8a4b3121af5a19504a9d969e36e709556420a6117eb3533f1d2a8100fd9

    aec2d0cbd2f195bf35e55019a29f0d6109451eb85dc7941b73e3b562b065a11c

    2755de59ef87f9f38c236ed860a1f6f41a1d864126f54c4c0a7f87d4b4f63b20

    fe4f88bdfff87a94bd57bc16c20d199ee548e551b4aca852bcc013d0955d7ce8 

    3480613294bc1e1704616dbf5628b92d7186246b87dbef1c8c3dbae13fe35c8b

    a12ed375965859d9434c9f651eef2f3663bb076963fec31723176c9083117671

    906ff72d4ea9cd831c58dc009fb1bbe407e8f430208a63d3dffd3f8e1da73f6e

    f0ad27f8737ac1a079a52c91d8b5cdd554cd42dccc597de8337e0c25d5287dd2

    42c9505c2c55b80e0e311cd6da6a5263b946c8ae8bd8162b0280a1e9be7f174b

    b691b2c1846ea75bb5b07a21c8664ecdb6379685623ba45fe6ca552e94a58ebc

    0ec83d1deb6065cac8ba8f849cdf5672da7313ec2e860a7d71bb7e397e661394

    7b028a9bd2bc0c306ab6561cf702406f5925fc073f9d0d2d9408ceccd6907743

    a92ed5f831c99bb84208ef7d7c733e0183a79de40f9d3b3be54744951f0a1391

    ab526d5ed335860ac2fe0adee26de1a95a3c528299800ddbb4d1e2dd91267252

    fd87149d6b8fdcad5d84ba4a3ca52e1cef8f0c54cafca6dbbb5d156f313d79dd

    fd6b1ca0f26e54fa9c97ea15c834e58ffb71798df38071ad00b14f19d6a4126c

    c91595edd1c9a0a2c1168e3bfa532e4a7dbb6b1380afd80ba445b728622798a4

    03CEC3B010853893310FEA486ECFDDF09642A7A5C695C70DB77D22BC7C402234

    10479191F2E06FF11797FC4DDA2E38AE6667C9DC396FAC32A6CF76965358ADE6

    0443289B1FC556C5EF4BBFA13774500E3936D965799A9C27BE0601170601094D

    b1EE96026A3FC0EE55DAB3B73896E88760F909B3C52D4A0152288D90E63F2E63

    b03fe49036c3830f149135068ff54f5c6c6622008a6fcb7edbf6b352e9a0acc0

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 : 

    domainname like "asp.asphspes.com" or url like "asp.asphspes.com" or siteurl like "asp.asphspes.com" or domainname like "pay.googleinstall.com" or url like "pay.googleinstall.com" or siteurl like "pay.googleinstall.com" or domainname like "mailserver.kozow.com" or url like "mailserver.kozow.com" or siteurl like "mailserver.kozow.com" or domainname like "newsinfom.org" or url like "newsinfom.org" or siteurl like "newsinfom.org" 

    Detection Query 2 : 

    dstipaddress IN ("103.9.14.218","103.136.45.108","141.164.59.111","117.254.105.200","23.254.225.184","103.172.10.165","66.42.62.253","45.114.192.137","117.239.199.202") or srcipaddress IN ("103.9.14.218","103.136.45.108","141.164.59.111","117.254.105.200","23.254.225.184","103.172.10.165","66.42.62.253","45.114.192.137","117.239.199.202")

    Detection Query 3 :

    sha256hash IN ("2755de59ef87f9f38c236ed860a1f6f41a1d864126f54c4c0a7f87d4b4f63b20","0ec83d1deb6065cac8ba8f849cdf5672da7313ec2e860a7d71bb7e397e661394","fe4f88bdfff87a94bd57bc16c20d199ee548e551b4aca852bcc013d0955d7ce8","fd87149d6b8fdcad5d84ba4a3ca52e1cef8f0c54cafca6dbbb5d156f313d79dd","e29767ffb75be9f363a39ba9b66785ecfc992e3d91ec9fc46515ef94c37dc0b6","00dbc8a4b3121af5a19504a9d969e36e709556420a6117eb3533f1d2a8100fd9","b03fe49036c3830f149135068ff54f5c6c6622008a6fcb7edbf6b352e9a0acc0","42c9505c2c55b80e0e311cd6da6a5263b946c8ae8bd8162b0280a1e9be7f174b","aec2d0cbd2f195bf35e55019a29f0d6109451eb85dc7941b73e3b562b065a11c","a12ed375965859d9434c9f651eef2f3663bb076963fec31723176c9083117671","3480613294bc1e1704616dbf5628b92d7186246b87dbef1c8c3dbae13fe35c8b","ab526d5ed335860ac2fe0adee26de1a95a3c528299800ddbb4d1e2dd91267252","f0ad27f8737ac1a079a52c91d8b5cdd554cd42dccc597de8337e0c25d5287dd2","fd6b1ca0f26e54fa9c97ea15c834e58ffb71798df38071ad00b14f19d6a4126c","906ff72d4ea9cd831c58dc009fb1bbe407e8f430208a63d3dffd3f8e1da73f6e","b691b2c1846ea75bb5b07a21c8664ecdb6379685623ba45fe6ca552e94a58ebc","7b028a9bd2bc0c306ab6561cf702406f5925fc073f9d0d2d9408ceccd6907743","a92ed5f831c99bb84208ef7d7c733e0183a79de40f9d3b3be54744951f0a1391","03CEC3B010853893310FEA486ECFDDF09642A7A5C695C70DB77D22BC7C402234","10479191F2E06FF11797FC4DDA2E38AE6667C9DC396FAC32A6CF76965358ADE6","0443289B1FC556C5EF4BBFA13774500E3936D965799A9C27BE0601170601094D","b1EE96026A3FC0EE55DAB3B73896E88760F909B3C52D4A0152288D90E63F2E63","c91595edd1c9a0a2c1168e3bfa532e4a7dbb6b1380afd80ba445b728622798a4")

    Reference:

    https://blog.talosintelligence.com/how-rainyday-turian-and-a-new-plugx-variant-abuse-dll-search-order-hijacking/


    Tags

    MalwareThreat ActorNaikonBackdoorPlugXRainyDayTurianSouth AsiaCentral AsiaCommunicationsCritical ManufacturingXOR-RC4-RtlDecompressBuffer

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.