Emulating Sogu/PlugX: The Sophistication of Malware Behaviors

If you’ve at all followed the work of AttackIQ’s Adversary Research Team (ART) in recent years, you’re well aware of their relentless pursuit for actionable, incisive, quantitative, and cutting-edge insights into the art (no pun intended) of adversary emulation. Read More

Consistently quick on the scene responding to new TTPs in the wild, threatening adversarial behaviors, and US-CERT alerts, AIQ’s Adversary Research Team builds scenarios and strings them into attack graphs to emulate these malicious campaigns and test them against your total security program, all the while allowing AttackIQ to provide organizations with remediation recommendations in the event they are susceptible to such attacks. Since the team’s inception, they’ve tackled an array of different threats across the cyber kill chain and methodically arranged these TTPs into a logical flow within their attack graphs.

Malware Behavior Emulation: A New Age of Attack Graphs

And yet, beginning in 2022, ART’s findings allowed them to kick it up a notch, adding a key differentiator in their testing arsenal: malware emulation attack graphs.

While traditional attack graphs and the classic cyber kill chain model tend to focus on the steps of a manual attack at the hands of a threat actor, malware TTPs are often unknown, leaving defenders lacking the insight into how and why your security controls are failing to prevent these attacks, or any understanding if a breach stems from the malware itself or manually by an adversary.

Meanwhile, ART’s real-world malware emulation attack graphs focus on the characteristics of the malware itself and logically where that malware can do harm against your specific security controls and through which TTPs.

Sogu/PlugX: The Itch You Can Never Seem to Scratch

Until now! AIQ’s Adversary Research Team aptly kicked off this campaign by emulating Sogu, aka PlugX, one of the most prevalent malware tools to date. Sogu/PlugX is a full-featured, modular remote access tool (RAT) with many variants and wide-spread use primarily by Chinese espionage threat actors. Sogu has been around for more than a decade with early reporting as far back as 2008, yet continues to be relevant with pervasive targeting of various industry sectors including the semiconductor industry and nation-state governments.

What makes Sogu/PlugX particularly concerning is its sophistication and its ability to adapt its tactics with fluidity. It utilizes advanced techniques such as rootkit technology, encrypted communication, and anti-analysis capabilities to avoid detection by traditional security solutions. It’s known for its ability to exploit known vulnerabilities and use spear-phishing campaigns, making it a persistent threat to organizations of all sizes. Given the ever-present danger of Sogu/PlugX, organizations must proactively defend against it – and AttackIQ Flex provides a resource to do so.

With our agentless test-as-a-service model, organizations can utilize AttackIQ Flex’s attack graphs to emulate a common sequence of malware behaviors and subsequently prevent and/or detect Sogu as it progresses through its kill chain.

Scenarios included in this Package:

  • Save 2020-07 Sogu/PlugX DLL Sample to File System
  • Persistence Through Windows Registry
  • Code Injection
  • Save 2020-07 Sogu/PlugX Self-extracting RAR Sample to File System
  • New Service
  • Download 2020-07 Sogu/PlugX Self-extracting RAR Sample to Memory
  • 2020-07 Sogu/PlugX DNS Command and Control Communication
  • Input Capture
  • System Network Configuration Discovery through Windows Command Line
  • Exfiltrate Text File Containing Windows System Profiling Data via HTTP to Test Server
  • System Information Discovery Script
  • Obtain Username using “whoami” Command
  • DLL Side-Loading


AttackIQ Flex represents a cutting-edge solution in the relentless battle against cyber threats. The innovation brought by AttackIQ’s Adversary Research Team (ART) now extends to the realm of malware emulation attack graphs, setting a new standard in proactive cyber defense. Sogu/PlugX’s sophistication and adaptability make it a formidable adversary, underscoring the need for proactive defense measures. AttackIQ Flex allows organizations to leverage attack graphs to emulate malware behaviors, providing a comprehensive view of their security vulnerabilities and enabling them to enhance their security posture.

This groundbreaking approach with AttackIQ Flex is a testament to the ongoing innovation in cybersecurity practices. In the face of ever-evolving cyber threats, it equips organizations with the tools they need to stay one step ahead in the war against malicious actors and ensure the safety of their digital landscapes.