How RainyDay, Turian and a new PlugX variant abuse DLL search order hijacking

Tuesday, September 23, 2025 14:00

• Cisco Talos discovered a new campaign active since 2022, targeting the telecommunications and manufacturing sectors in Central and South Asian countries, delivering a new variant of PlugX.
• Talos discovered that the new variant’s features overlap with both the RainyDay and Turian backdoors, including abuse of the same legitimate applications for DLL sideloading, the XOR-RC4-RtlDecompressBuffer algorithm used to encrypt/decrypt payloads and the RC4 keys used.
• The configuration associated with this new variant of PlugX differs significantly from the standard PlugX configuration format. Instead, it adopts the same structure as RainyDay, enabling us to assess with medium confidence that this variant of PlugX can be attributed to Naikon.
• Although these malware families have historically been associated with campaigns attributed to Naikon or BackdoorDiplomacy, our analysis of the victimology and technical malware implementation has uncovered evidence that indicates a potential connection between the two threat actors and suggests that they are the same group or that both are sourcing their tools from the same vendor.

Overview

Cisco Talos has identified an ongoing campaign targeting the telecommunications and manufacturing sectors in Central and South Asian countries. Based on our analysis of collected evidence, we assess with medium confidence that this campaign can be attributed to Naikon, an active Chinese-speaking threat actor that has been operating since 2010. This assessment is based on analysis of the PlugX configuration format used during this campaign as well as the malware infection chain involved, which was very similar to their previous malware, RainyDay.

During the investigation and hunting efforts for RainyDay backdoors, Talos uncovered two significant findings. First, we found that several instances of the Turian backdoor and newly identified variants of the PlugX backdoor were abusing the same legitimate Mobile Popup Application as RainyDay to load themselves into memory. Second, we observed that the three malware families leverage loaders which not only have a similar XOR decryption function but also use the same RC4 key to decrypt the encrypted payload. Although we did not observe any activity associated with RainyDay or Turian during this campaign, this finding enables us to make assessments regarding attribution.

Attribution****Naikon

Naikon is a well-known Chinese-speaking cyber espionage group that has been active since at least 2010. This threat group has primarily targeted government, military, and civil organizations across Southeast Asia.

Naikon employs a variety of backdoors, including Aira-body, Nebulae and RainyDay, along with numerous customized hacking tools to maintain persistence and exfiltrate data from victims’ network environments. Notably, Symantec reported the group has been using the RainyDay backdoor to target telecom operators in several Asian countries as part of a prolonged espionage campaign, which they traced back to 2020.

BackdoorDiplomacy

BackdoorDiplomacy is a threat group that has been active since at least 2017. The group has primarily targeted Ministries of Foreign Affairs and telecommunication companies across Africa, Europe, the Middle East and Asia.

Their primary tool of choice is Turian, believed to be an upgraded version of Quarian. ESET has noted similarities in the network encryption methods of Turian and a backdoor known as Backdoor.Whitebird.1. Bitdefender has suggested that Quarian, Turian and Whitebird may be different versions of the same backdoor. Bitdefender has also published a blog on attacks against telecommunication companies in the Middle East, which began in February 2022.

Talos compares Naikon and BackdoorDiplomacy using the diamond model in Figure 1.

Figure 1. Comparison between the Naikon and the BackdoorDiplomacy by using the diamond model.

Relations in recent campaigns

While investigating the DLL search order hijacking abuse used in this campaign, Talos discovered that RainyDay, Turian and the PlugX variant all abused the same legitimate software to execute their malicious loaders. Although these malware families are seemingly operated by different threat groups ( Naikon and BackdoorDiplomacy), our analysis uncovered evidence suggesting a potential connection between them.

First, there are consistent targeting patterns observed in campaigns Naikon and BackdoorDiplomacy conducted, with similar countries and industries affected by these campaigns, which could indicate a possible connection . Both primarily focus on telecommunications companies, with their most recent campaigns continuing this trend. In a recent campaign we observed, Naikon targeted a telecommunications company in Kazakhstan, which borders Uzbekistan — another country previously victimized by BackdoorDiplomacy . Prior reporting suggests that targeting of countries in this region aligns with historical BackdoorDiplomacy activity. Additionally, both Naikon and BackdoorDiplomacy have been observed targeting South Asian countries.

Furthermore, the malware loaders and shellcode structures used by both groups show significant similarities, and Talos has observed the use of the same RC4 keys, as well as the XOR-RC4-RtlDecompressBuffer algorithm, for decrypting malware payloads across RainyDay (Naikon), PlugX (Naikon) and Turian (BackdoorDiplomacy). These overlaps will be explored further in the next section. Talos created a timeline of intrusion activity associated with these three malware families (Figure 2) by analyzing data from:

• Campaigns we observed
• Third-party reporting
• Malware compilation timestamps
• Timestamps present in keystroke logs generated during infections

Figure 2. Timeline of RainyDay, new variant PlugX and Turian backdoor.

While we cannot conclude that there is a clear connection between Naikon and BackdoorDiplomacy, there are significant overlapping aspects — such as the choice of targets, encryption/decryption payload methods, encryption key reuse and use of tools supported by the same vendor. These similarities suggest a medium confidence link to a Chinese-speaking actor in this campaign.

Malware attack flow

RainyDay, Turian and the new variant of PlugX identified in this campaign are all executed via DLL search order hijacking.

Although there are differences among the three pieces of malware, the behavior of the loaders themselves is similar. The loaders for RainyDay, PlugX and Turian, which are loaded by abusing legitimate executables, read encrypted shellcode files located in the same directory as the executables and decrypt the data to execute their respective malware. The decrypted RainyDay and PlugX payloads are unpacked into memory and inject code into the calling process to execute the malware. Turian injects into a new legitimate process (either wabmig.exe or explorer.exe) to execute the malware. After execution, it loads the Config data, which defines the command and control (C2) destination and an INI file containing an “AntiVir” section.

Figure 3. RainyDay malware flow.

Figure 4. New PlugX variant malware flow.

Figure 5. Turian malware flow.

RainyDay, new PlugX variant and Turian loaders

These three loaders are designed to read, decrypt and execute the encrypted shellcode for their respective malware from the Initial directory.
Let’s examine the decryption routines for the RainyDay, PlugX and Turian loaders. The three loaders share a significant amount of common code. First, they use the GetModuleFileNameA API to obtain the full path of the executable. Then, they read data from the Initial directory using hardcoded filenames within the malware.
The initial RainyDay loader Talos observed in 2016 did not encrypt the data. However, in subsequent malware samples, each loader includes a decryption routine. As illustrated in Figures 6 – 8, the RainyDay loader decrypts data from “rdmin.src”, the PlugX loader from “Mcsitesdvisor.afx” and the Turian loader from “winslivation.dat”, each using XOR encryption. The decrypted shellcode is then unpacked in memory and executed using CALL or JMP instructions.

Figure 6. RainyDay loader.

Figure 7. PlugX loader.

Figure 8. Turian loader.

The format of the shellcode each of the three malware loaders decrypts is the same. It contains data that has been encrypted and compressed using RC4 and LZNT1, respectively. This data is then decompressed and decrypted, ultimately providing code to be executed in memory.

After the transition via a CALL or JMP instruction, code like that shown in the figure below is repeatedly executed. Control Flow Flattening (CFF) may be implemented in some cases.

Figure 9. A portion of the code used by RainyDay and Turian to implement CFF.

As shown in the image, it uses the ROL25-based additive API hash function to resolve Windows APIs. Then, the code is decrypted using RC4, as indicated in the illustration below.

After decryption, the code is compressed using LZNT1 and call the RtlDecompressBuffer API to decompress and deploy RainyDay, PlugX or Turian.

Figure 10. ROL25-based additive API hash function.

Figure 11. RC4 decryption and LZNT1 decompression code.

The DLL file decompressed by LZNT1, as indicated in Figure 12 below, has its file header bytes removed. In this example, the e_lfanew value (which indicates the location of the PE header) is set to an abnormally large value of 0x01240120, clearly showing that an invalid value has been inserted.

Figure 12. Part of the DLL file decompressed by LZNT1.

RC4 key used for malware decryption

Figure 13 below shows the RC4 keys used by each of the three different malware families and their corresponding samples. RainyDay uses “8f-2;g=3/c?1wf+c92rv.a” as its RC4 key. This same key is also used in PlugX and Turian. In early versions of RainyDay, this string was used for encrypting communications, not the malware itself. Another RC4 key specified in RainyDay, “jfntv`1-m0vt801tyvqaf_)U89chasv”, is also used in PlugX. We can conclude that the same RC4 keys are shared across RainyDay, PlugX and Turian. We can also infer that the attackers are operating multiple malware families simultaneously, and that the use of shared RC4 keys across multiple malware families suggests these activities are carried out by the same or connected attacker groups.

Figure 13. RC4 key by malware family.

PDB paths included in the loader

There are a few PDB paths found in the loader samples which explain the role of the DLL loader files.

Turian loader:

C:\vc_code\No.3\3-2hao\3-2hao-211221\dlltoshellcode_and_shellcodeloader_211221\Resources\pc2msupp.pdb

C:\vc_code\code_test\26.icmpsh-master(tigong wangzhiban)\shellcodeloader_vs2008\Release\shellcodeloader_vs2008.pdb

Possible PlugX loader:

C:\Users\admin\Desktop\Desktop_bak\success_bai\MicrosoftEdgeUpdate.exe\shellcode_xor\dll-MicrosoftEdgeUpdate\Release\2-dll-MicrosoftEdgeUpdate.pdb

A deeper analysis of the PDB strings reveals a few key points. First, all the loaders contain shellcode structures that are consistent across both backdoors, which is extracted and injected into memory. Second, the Turian loader PDB path (also mentioned by Bitdefender), “No.3\3-2hao\3-2hao-211221,” seems to reference project names, versions, and a timestamp, with “211221” possibly representing the date Dec. 21, 2021.

Additionally, another Turian loader PDB path includes “icmpsh-master,” likely referring to ICMP Shell (icmpsh), a well-known tool or malware technique used for covert C2 communication. In the PDB string, the phrase "(tigong wangzhiban) " in parentheses translates from Chinese to “provide web version” (提供网页版), suggesting that this version of icmpsh might have been modified for web-based use, possibly to interact with a remote server or web-based C2 infrastructure.

Finally, the RainyDay loader PDB path points to a project involving a DLL associated with "MicrosoftEdgeUpdate". This DLL could be malicious and designed to be injected into the legitimate MicrosoftEdgeUpdate.exe process.

Figure 14. Loader for each malware family that includes a PDB.

RainyDay and new PlugX variant from same infection chain

This section examines the history and technical details of the RainyDay backdoor. This malware was first discovered in 2021 by Bitdefender, and may be tracked by Kaspersky as FoundCore, based on the behavior they describe in their analysis. By combining insights from both research reports, we can outline the key characteristics and behavior of the RainyDay backdoor:

• It uses legitimate DLL sideloading to run the malware.
• The payload includes shellcode, which is responsible for extracting the final payload.
• The payload is encrypted using XOR-RC4-RtlDecompressBuffer and its configuration is encrypted using a simple single-byte XOR key.
• Most importantly, the configuration holds critical details like the C2 server address, folder name, service description, mutex, registry key path and other information.

From the information above, Talos was able to find several RainyDay backdoor loaders and payloads in various malware repositories. While all of the samples matched RainyDay backdoor signatures, we found that the final backdoors actually belonged to two different malware families: the previously reported RainyDay backdoor and a new variant of the notorious Chinese remote access trojan (RAT), PlugX. Figures 15 – 17 display the different malware families which both contain the same code responsible for configuration decryption.

Figure 15. Bitdefender’s identified RainyDay configuration decryption code.

Figure 16. Oldest RainyDay configuration decryption code.

Figure 17. PlugX variant configuration decryption code.

Older version of RainyDay backdoor

Following a detailed analysis, Talos identified an older variant of the RainyDay backdoor. The code structure aligns closely with newer variants described in other cybersecurity vendors’ publications. This older variant employs the same code logic to determine the target machine’s Windows version and CPU architecture. Notably, the debug logs exhibit significant similarities between the variants. As illustrated in Figure 18, it is evident that the threat actor has not only enhanced the functionality of the RainyDay backdoor but has also refined the debug log output. This enhancement likely facilitates more efficient debugging of individual functions by the malware’s developers. However, this older variant closely mirrors what has been detailed in Bitdefender’s previous reports , with the primary differences being the absence of C2 HTTP communication capabilities and file manipulation functions.

Figure 18. Left: Bitdefender-described RainyDay. Right: Talos-discovered older variant of RainyDay.

Talos uncovered two additional compelling pieces of evidence to support the conclusion that this is an earlier version of the RainyDay backdoor. First, the loader for this variant was compiled on Feb. 27, 2018 at 12:32:40 UTC, making it the oldest sample identified to date. Second, the configuration file contains a timestamp dating back to Dec. 28, 2016. Based on this information, we assess with high confidence that the RainyDay backdoor has likely been in operation since at least 2016.

Figure 19. Old version of RainyDay configuration.

Talos also discovered a PDB string path embedded in the malware, which discloses the backdoor’s original file name.

C:\Users\Qs\Desktop\Workspace\1qaz\bin\core.pdb

The file names are the same; therefore, this finding further strengthens the link between this older variant of the RainyDay backdoor and the 2021 FoundCore version.

PlugX variant backdoor

The other final payload Talos identified is a customized variant of the PlugX backdoor, which we believe has become the primary backdoor used by the threat actor in recent campaigns. While this variant of PlugX is not particularly new and its plug-in functionalities have been documented in previous reports, it stands out for a key reason: its configuration differs significantly from the previously-identified PlugX configuration. Instead, it adopts the same configuration structure as the RainyDay backdoor. This anomaly strongly suggests that the threat actors likely have access to the original source code of PlugX, enabling them to modify it in this manner. However, it is still necessary to be aware that the threat actor might further patch the PlugX backdoor configuration part to fit their preferred configuration structure.

Figure 20. PlugX configuration.

Talos has high confidence that the PlugX variant observed in this campaign is a customized version of BackDoor.PlugX.38. Like the original variant, it utilizes the “SetUnhandledExceptionFilter_”_ exception handler to identify the thread ID responsible for triggering the exception within the “threads_container” and subsequently generates the associated strings. However, this variant introduces a modification to employ an additional XOR operation to encrypt those strings. When the malware executes the relevant function, it decrypts the strings dynamically during runtime.

Figure 21. Exception filter setting.

After completing its preparation procedures, the trojan escalates its privileges by acquiring SeDebugPrivilege and SeTcbPrivilege. It then initializes its main routine and determines the folder path, specified in its configuration, where it will drop the infection chain files. The malware creates a DoImpUserProc thread to manage plug-in operations or execute a function named OnlineMainDump. To evade detection, the threat actor conceals the SeDebugPrivilege and SeTcbPrivilege strings by encrypting them using a modified Tiny Encryption Algorithm (TEA).

Figure 22. Escalation privileges.

If the PlugX backdoor executes the OnlineMainDump function, it first attempts to elevate its privileges to grant high-level access for its own process. It then retrieves three specific plug-ins: KeylogDump, Nethood and PortMap. Following this, it employs the same techniques as BackDoor.PlugX.38 to hide its malicious service within the services.exe process. Once this is completed, the OnlineNotifyDump thread is initiated, and the configuration is re-initialized. The malware then utilizes the OlProcManager thread to manage the execution of the three plug-ins within the framework of the current process.

Figure 23. PlugX main function.

Once all initialization procedures are complete, the malware begins a recurring cycle of connections to its C2 server. While the connection methodology remains identical to that of BackDoor.PlugX.38, this variant specifically utilizes the HTTPS protocol for communication. Additionally, we identified the library version name “VTCP 10.12.08” embedded within this PlugX backdoor. The VTCP library has already been confirmed in previous analyses as a component commonly associated with PlugX, further supporting the attribution of this variant to the same malware family.

Figure 24. PlugX protocol.

Furthermore, Talos observed that the threat actor embedded a keylogger plug-in in all analyzed PlugX backdoor payloads. The keylogger’s functionality and data-writing format remain consistent with those described in previous reports. However, there are notable differences: The file name has been altered and the drop file path adjusted to match the current location of the PlugX backdoor. These modifications suggest that the threat actor aimed to better integrate the keylogger with this specific variant.

Figure 25. Keylogger log file path.

Additionally, by pivoting on several keylogger log files discovered on VirusTotal, Talos observed timestamps indicating that these files were actively generated throughout 2022. Notably, one of the log files demonstrated successful persistence within the victim’s environment, recording activity from late 2022 through December 2024 — spanning nearly two years of ongoing compromise.

Coverage

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles. Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work. Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access.

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

ClamAV detections are also available for this threat:

Win.Loader.RainyDay-10045411-0

Indicators of compromise (IOCs)

The IOCs can also be found in our GitHub repository here.