Windows
C2
KeyPlug is a modular backdoor malware from APT41 (Grayfly) that targets Windows and Linux systems. It gives attackers full control over compromised devices. KeyPlug has been used in espionage since at least June 2021.
KeyPlug is delivered through spear-phishing emails with malicious attachments or links. These emails often use current events or appear to be from a trusted source to trick the victim. When the attachment is opened or the link is clicked the malware is installed and a foothold is established in the system.
Technical Capabilities
When executed KeyPlug gives attackers remote access to the system. It supports multiple communication protocols including HTTP, WebSocket (WSS), TCP, and KCP over UDP to communicate with its command-and-control (C2) servers. The malware uses encryption and obfuscation to evade detection and analysis like TLS-encrypted WebSocket communications and encoding its configuration files.
Evolution and Adaptation
Over time KeyPlug has evolved to include both Windows and Linux versions, and APT41 is expanding its attack surface. The malware is modular so new features can be added, allowing attackers to adapt to their targets and objectives.
Use advanced email filtering to detect and block spear-phishing.
Keep systems up to date and patched.
Deploy endpoint detection and response.
Train users on phishing and social engineering.
