Executive Summary
Recent analysis of PlugX malware samples has identified 14 domains assessed to be part of ongoing PRC espionage activity consistent with threat actors designated as Mustang Panda, UNC6384, and RedDelta. The majority of these domains have not been publicly reported as of the publication of this post.
The C2 operator shows a preference for registering once expired domains and pointing them to VPS on ASN 149440 (Evoxt Enterprise) before moving to Cloudflare to mask attacker-controlled infrastructure. The domains are registered via NameCheap and NameSilo, and privacy-protected, in line with behavior previously observed by Recorded Future.
Several domains identified within this research are corroborated by recent community reporting and analysis. The goal of this post is to provide context, specifically looking into the staging of C2 domains prior to malware delivery. The domains and IPs discussed here are believed to represent a subset of a broader, ongoing campaign targeting government and diplomatic organizations.
Background & Prior Reporting
PlugX is a modular remote access trojan (RAT) with a history spanning more than a decade, frequently linked to PRC threat actors. Historically, the malware has been used to target governments, diplomatic, and civil society organizations, starting in Southeast Asian, eventually moving across Europe and worldwide. Variants of the RAT show its adaptability and continued value as a preferred implant to complete objectives.
Prior Reporting on UNC6384, Mustang Panda, and RedDelta
In August 2025, Google Threat Intelligence Group (GTIG) attributed a multi-stage espionage campaign to UNC6384, a PRC-linked actor believed to be closely associated with TEMP.Hex, more commonly referred to as Mustang Panda. The campaign targeted diplomats in Southeast Asia, first delivering STATICPLUGIN, a digitally signed downloader, before deploying PlugX. GTIG reported that UNC6384 and Mustang Panda share overlapping C2 networks, and have both been observed deploying SOGU.SEC (GTIG name for PlugX) against targets aligned with PRC strategic interests.
A January 2025 report by Recorded Future’s Insikt Group documented RedDelta‘s continued PlugX deployment targeting Taiwan, Mongolia, and Southeast Asia, identifying a recurring procurement pattern: expired domains re-registered via NameCheap protected by Cloudflare origin certificates. This aligns with the findings documented here.
Recent Activity: February 2026
On February 24, 2026, the security team with Internet Initiative Japan (IIJ) published analysis of a PlugX variant delivered via an updated STATICPLUGIN, which communicated with the C2 domain fruitbrat[.]com. Two days later, Lab52 documented a separate infection chain executing MSBuild with GData DLL sideloading that connected to decoraat[.]net. Each post identified TTPs shared by all three threat groups. Both domains are part of our research identified by a query shared below.
Discovery Methodology
This investigation originated with a post on X published February 6, 2026. In the post, @smica83 provided a PlugX sample, Avk.dll along with its hash and link to Malware Bazaar. The following day, researcher Naoki Takayama (@mopisec) reposted with additional analysis, identifying an update to the malware’s configuration structure involving RC4 encryption and encoding. Also shared in the post was an extracted C2 address: 108.165.255[.]97:443. This indicator served as the starting point for the research that follows.
Host Inspection
Using Hunt.io, the IP summary for 108.165.255[.]97 revealed active services on ports 443, 3389, and 5985. The host resolved to Evoxt Enterprise (ASN149440), a provider not previously attributed to PlugX operations, at least publicly.
Certificate & Hostname Pattern
A review of port 443 revealed a Cloudflare-issued Origin certificate containing fruitbrat[.]com in the Subject Alternative Name (SAN) extension as a DNS name. This confirms prior reporting and will serve as one of the cluster-level fingerprints used to track this campaign.
WHOIS and Domain Registration
Analysis of the WHOIS records for the C2 domain confirmed registration via NameCheap with Cloudflare nameservers, as described to be a RedDelta TTP. Registration details were protected by Withheld for Privacy. Given the variance commonly observed among WHOIS aggregators, DNSAudit and SecurityTrails were used as corroborating sources to validate registrations for this particular investigation.
Strengthening the Query
Certificates and NameCheap registration alone is not enough to fingerprint PlugX infrastructure, as there are thousands of similar hosts across the internet. Further examination of the servers mentioned by IIJ and Lab52 showed specific server banner patterns on port 443 on ASN 149440. The following section will further examine these fingerprints.
Infrastructure Analysis
Evoxt Enterprise offers virtual private servers (VPS) primarily hosted in the U.S., with a presence in Malaysia, Japan, the United Kingdom, Hong Kong, and Germany. Previous threat reports have identified this network as being used for C2 and staging operations.
Cluster Characteristics
As described in the previous section, the following indicators formed a reliable fingerprint which unearthed both IP’s and domains not yet publicly reported:
| Indicator | Observed Value |
| Hosting AS | 149440 (Evoxt Enterprise) |
| Web Server Banner | nginx/1.26.3 and nginx/1.28.0 |
| Port | 443 |
| TLS Certificate | Cloudflare Origin CA |
| Nameservers | Cloudflare |
| Domain Registrar | NameCheap, Inc. |
When combining the above indicators, a pseudo query may look like:
asn="149440" AND http.headers.server="nginx/1.26.3" OR http.headers.server="nginx/1.28.0" AND port="443" AND tls.ja4x.hash="dc020972a4a8_9fb583da09a2_fb02ba79e164" AND http.status.code="200"
Infrastructure Lifecycle
The timeline below illustrates the staging and operational lifecycle observed for fruitbrat[.]com, which was also observed across the larger grouping:
- Mid-January 2026 – Cloudflare TLS certificate provisioned for fruitbrat[.]com
- Mid-January 2026 – NameCheap registration update, Cloudflare nameservers applied
- February 6, 2026 – Associated PlugX sample shared by @smica83
- February 7, 2026 – C2 address 108.165.255[.]97 identified by @mopisec
- February 24, 2026 – IIJ Security publishes analysis referencing the above as communicating with the sample loaded by STATICPLUGIN.
Across this particular data group, a window of one to three days was seen between domain registration, TLS certificate provisioning, and moving away from Evoxt servers. This hints at a deliberate, pre-staged deployment model constructed to mask the true hosting IP.
Webpage Patterns
Several domains associated with this activity presented generic technology or productivity-themed placeholder sites. It is possible these webpages templates were created and possibly forgotten about before expiring. Below is an example from the research, basecampbox[.]com which on quick glance appears to be a simple app to facilitate team communication and project management.
When taken together, the staging behavior, server characteristics, and domain patterns documented across this activity are consistent and show deliberate infrastructure pre-positioning. Based on public reporting from GTIG, Recorded Future, IIJ Security, and Lab52, it is with a high likelihood the additional domains/IPs are tied to the overlapping threat actors.
Conclusion
Mustang Panda, UNC6384, and RedDelta continue to follow a consistent and methodical approach to C2 procurement (for this campaign at least) specifically designed to outpace defender visibility. The deliberate use of well-known registrars, expired domains likely with no negative risk score, and rapid movement to Cloudflare proxying complicates response efforts.
The degree of behavioral overlap across these groups warrants continued monitoring and may suggest a level of coordination, or shared development, possibly using a server template for command-and-control operations.
Although this activity appears to be ongoing, it is unlikely Evoxt will continue to be the staging provider of choice. The query documented here provides for reproducible hunting; threat actors are creatures of habit as well, and patterns usually appear regardless of what changes are made.
Indicators of Compromise
| IP | Domain | Last Seen |
| 108.165.100[.]183 | creatday[.]com | 23 Feb 2026 |
| 108.165.147[.]57 | adimagemarketing[.]com | 23 Feb 2026 |
| 108.165.155[.]157 | hopelitellc[.]com | 23 Feb 2026 |
| 108.165.255[.]97 | fruitbrat[.]com | 23 Feb 2026 |
| 108.165.177[.]122 | phbusiness[.]net | 23 Feb 2026 |
| 108.165.100[.]85 | buywownow[.]com | 16 Feb 2026 |
| 166.88.100[.]64 | anbusivam[.]com | 19 Feb 2026 |
| 198.20.153[.]140 | gestationsdiabetes[.]com | 23 Feb 2026 |
| 23.27.0[.]237 | turileco[.]net | 23 Feb 2026 |
| 23.27.0[.]80 | ecoafrique[.]net | 23 Feb 2026 |
| 23.27.0[.]125 | basecampbox[.]com | 21 Feb 2026 |
| 23.27.199[.]143 | ombut[.]com | 23 Feb 2026 |
| 103.27.109[.]117 | famisu[.]com *AS-Topway Global, setup using same indicators as the above | Late-Jan 2026 |
| 182.255.45[.]45 | doorforum[.]com *AS-XNNET, setup using same indicators as the above | Late-Jan 2026 |