high_confidence
RedDelta Modified PlugX Infection Chain Operations
[RedDelta Modified PlugX Infection Chain Operations](https://attack.mitre.org/campaigns/C0047) was executed by [Mustang Panda](https://attack.mitre.org/groups/G0129) from mid-2023 through the end of 2024 against multiple entities in East and Southeast Asia. [RedDelta Modified PlugX Infection Chain Operations](https://attack.mitre.org/campaigns/C0047) involved phishing to deliver malicious files or links to users prompting follow-on installer downloads to load [PlugX](https://attack.mitre.org/software/S0013) on victim machines in a persistent state.(Citation: Recorded Future RedDelta 2025)
Start date
1 July 2023
End date
1 December 2024
Techniques
22
Attributed actors
Techniques (22)
command-and-control3
T1090Proxy
T1095Non-Application Layer Protocol
T1071.001Web Protocols
defense-impairment1
T1553.002Code Signing
discovery1
T1082System Information Discovery
execution5
T1204.002Malicious File
T1059.001PowerShell
T1203Exploitation for Client Execution
T1204.001Malicious Link
T1574.001DLL
initial-access2
T1566.002Spearphishing Link
T1566.001Spearphishing Attachment
persistence1
T1547.001Registry Run Keys / Startup Folder
privilege-escalation1
T1547.001Registry Run Keys / Startup Folder
resource-development3
T1588.004Digital Certificates
T1608.001Upload Malware
T1583.001Domains
stealth7
T1480Execution Guardrails
T1036.004Masquerade Task or Service
T1574.001DLL
T1218.014MMC
T1218.007Msiexec
T1564.001Hidden Files and Directories
T1027.013Encrypted/Encoded File
Indicators of compromise
No IOCs linked to this campaign yet.