New PlugX USB Worm Variant Spreads Globally Using Stealthy DLL Sideloading Techniques
A new variant of the PlugX USB worm is causing renewed concern as it spreads across several continents, leveraging DLL sideloading and USB-based propagation to bypass traditional security defenses.
First identified in Papua New Guinea in August 2022, this strain reappeared in regions such as Ghana, Mongolia, Zimbabwe, and Nigeria, indicating a fragmented yet global infection pattern. This distribution suggests that operators are not relying on mass phishing campaigns but rather on physical media or controlled USB seeding methods.
PlugX is a long-standing Remote Access Trojan (RAT) originating from China and frequently associated with espionage-oriented intrusion groups. It typically uses DLL sideloading to execute malicious payloads through trusted executables.

Security researchers from SOPHOS have identified that this variant introduces a new payload and communicates with a command-and-control (C2) server previously linked only loosely to PlugX activity.
The C2 server located at 45.142.166[.]112 aligns with earlier research suggesting a tentative association with “other PlugX” operations and is now strongly linked to the PKPLUG/Mustang Panda threat actor.
How DLL Sideloading and USB Spread Work
The worm exploits a legitimate Avast executable, AvastSvc.exe, which is vulnerable to DLL sideloading. It pairs this executable with a malicious DLL (wsc.dll) and an encrypted PlugX payload.

On infected systems and removable drives, the malware places components into a RECYCLER.BIN directory and renames the trusted loader (e.g., to CEFHelper.exe) to disguise it as a benign helper process.
When users double-click what seems like a removable drive shortcut, Windows executes the renamed AvastSvc.exe, which then sideloads the rogue DLL and decrypts the PlugX backdoor.

To facilitate data theft and lateral movement, the worm drops a batch script (tmp.bat) that runs discovery commands such as ipconfig, systeminfo, tasklist, and netstat, saving results in a base64-encoded filename for later exfiltration.
PlugX also scans for sensitive documents such as .doc, .xls, .ppt, and .pdf files, encrypts them, and stores copies in RECYCLER.BIN with obfuscated names.
On removable media, the worm uses Windows shortcut tricks and filesystem attributes to appear invisible to casual users. All malicious files and stolen data are marked as hidden and system, and a crafted desktop.ini associates the RECYCLER.BIN folder with the Windows Recycle Bin shell extension—masking the backdoor’s presence.
Old USB Worm Tactics, Renewed at Scale
Despite the shift toward email and cloud-based threat vectors, PlugX’s USB-aware variants show that Advanced Persistent Threat (APT) actors are reviving USB-based propagation for persistence and infiltration into air-gapped or segmented networks.

Recent sinkholing efforts and telemetry confirm that self-spreading PlugX USB malware families remain active years after their initial deployment, with tens of thousands of infected public IPs still communicating daily.
The emergence of this latest DLL-sideloading PlugX USB worm highlights how mature malware toolkits can be repackaged with minimal modifications in loaders and infrastructure to launch fresh, geographically dispersed campaigns.