The Evoxt Labyrinth: Unmasking the New Subterranean Infrastructure of China’s PlugX Syndicates

While the majority of the corporate world remains preoccupied with the latest vulnerabilities, a cadre of Chinese threat actors has been stealthily architecting a subterranean infrastructure for cyberespionage. A meticulous forensic analysis of nascent PlugX malware specimens has laid bare an intricate labyrinth of domains and servers orchestrated by Mustang Panda, UNC6384, and RedDelta. Notably, a substantial echelon of these network addresses had thus far eluded public disclosure.

Cybersecurity sentinels at Cyber and Ramen have unearthed fourteen domains inextricably linked to this protracted espionage campaign. Each of these digital waypoints funnels directly into the command-and-control (C2) architecture governing the compromised endpoints. The operators exhibit a pronounced predilection for resurrecting expired domain names, subsequently anchoring them upon virtual private servers within Autonomous System 149440—the proprietary domain of Evoxt Enterprise—before cloaking the true servers behind Cloudflare’s formidable cryptographic aegis. Registration is predominantly executed via NameCheap and NameSilo, almost invariably fortified with strict privacy protections to shield the proprietor’s identity.

PlugX functions as a sophisticated Remote Access Trojan (RAT). This insidious contagion has persisted for over a decade, routinely surfacing in campaigns orchestrated by Chinese state-aligned syndicates. Such offensives are quintessentially directed against governmental apparatuses, diplomatic missions, and non-governmental organizations. While inaugural incursions predominantly afflicted Southeast Asia, the contagion’s theater of operations has since metastasized into Europe and disparate global regions.

In the summer of 2025, Google’s Threat Analysis Group attributed a labyrinthine, multi-stage espionage operation to the UNC6384 collective. This campaign commenced with the dissemination of the digitally signed STATICPLUGIN loader which, upon execution, stealthily deployed PlugX. Google’s analysts discerned that UNC6384 and Mustang Panda exploit a confluent C2 infrastructure, propagating an identical permutation of the malware, famously designated as SOGU.SEC.

In January 2025, analogous machinations orchestrated by RedDelta were chronicled, with crosshairs fixed upon Taiwan, Mongolia, and the broader Southeast Asian theater. The syndicate wielded an identical stratagem: resurrecting lapsed domains via NameCheap and interposing Cloudflare’s infrastructure to obfuscate the genuine server origins.

A nascent wave of hostilities surged in February 2026. On the 24th of February, experts at Internet Initiative Japan dissected a PlugX variant propagated via an augmented STATICPLUGIN loader, which established communications with the domain fruitbrat[.]com. A mere two days later, the vanguard at Lab52 delineated a disparate contagion chain. This specific venomous code invoked the MSBuild utility to surreptitiously sideload a malicious library, subsequently establishing a tether to decoraat[.]net. Both domains unequivocally reside within the very same architectural framework.

The genesis of this investigation traces back to the promulgation of a PlugX sample upon the X social media platform. A user operating under the pseudonym smica83 uploaded the Avk.dll file, accompanying it with a conduit to a malware repository. The following day, researcher Naoki Takayama meticulously parsed the specimen, unearthing profound alterations within its configuration. This novel iteration leveraged RC4 cryptography alongside bespoke data encoding protocols. Woven within its configuration lay the command server’s coordinates: 108.165.255[.]97:443.

Subsequent probing revealed the server to be responsive across ports 443, 3389, and 5985. This IP address is an asset of the Evoxt Enterprise network—a hosting provider that had historically remained untethered to the public taxonomy of PlugX infrastructure.

A rigorous examination of the cryptographic certificate residing on port 443 illuminated yet another crucial facet. The server employed a Cloudflare Origin certificate, explicitly listing fruitbrat[.]com within its registry of domain names. WHOIS telemetry corroborated the domain’s registration via NameCheap, utilizing Cloudflare nameservers, while the proprietor’s identity remained impenetrable, cloaked by privacy shielding services.

Naturally, mere registration data proves woefully insufficient to definitively fingerprint PlugX infrastructure, given the thousands of analogous servers populating the internet. Consequently, analysts scrutinized auxiliary forensic indicators. Across the servers of Autonomous System 149440, they detected highly idiosyncratic nginx web server headers corresponding to versions 1.26.3 and 1.28.0. The confluence of these specific indicators empowered the researchers to unearth novel IP addresses previously absent from all threat intelligence dossiers.

Evoxt Enterprise provisions virtual private servers, predominantly localized within the United States, alongside nodes scattered across Malaysia, Japan, the United Kingdom, Hong Kong, and Germany. Preceding cyberattack chronologies have, indeed, implicated this network as a haven for hosting C2 servers and intermediate staging infrastructure.

The chronological lifecycle of a singular domain perfectly exemplifies this modus operandi. In mid-January 2026, a Cloudflare certificate was minted for fruitbrat[.]com. Contemporaneously, the domain’s registration was renewed, and Cloudflare nameservers were seamlessly integrated. On February 6th, a PlugX specimen inherently tethered to this address materialized online. A mere day later, analysts pinpointed the command server at 108.165.255[.]97. The subsequent forensic analysis by IIJ irrevocably cemented the domain’s complicity with the malware.

The remarkably brief temporal window—spanning a mere one to three days between domain registration, certificate issuance, and infrastructural migration—is a stark testament to a meticulously choreographed deployment protocol. The operators initially anchor the domain upon an Evoxt server before swiftly vanishing the architecture behind the obfuscating veil of Cloudflare proxies, effectively masking the true ingress points.

Several domains within this unmasked network resolve to entirely mundane web pages, displaying boilerplate templates concerning technology or collaborative synergy. One such domain, basecampbox[.]com, impeccably masquerades as a pedestrian project management and team communication utility. In all probability, these site templates were injected as an elaborate veneer of camouflage.

The infrastructural behavior, the technical idiosyncrasies of the servers, and the recursive domain nomenclatures coalesce to form a remarkably distinct operational profile. When juxtaposed against historically published intelligence, the evidence points with profound probability to the machinations of Mustang Panda, UNC6384, and RedDelta.

These syndicates persist in executing this identical stratagem. The orchestrators procure lapsed domains devoid of any malign reputation, tether them to prominent registrars, and expeditiously shroud their architecture behind Cloudflare. This calculated approach severely complicates the discovery of command servers, hindering defensive vanguards from blacklisting the venomous network in a timely fashion.

While this infrastructure presently remains kinetic, it is highly improbable that Evoxt will retain its mantle as the primary hosting conduit in perpetuity. Such elusive groups frequently migrate their operational hubs. Nevertheless, the ingrained habits of the operators invariably betray their campaigns; even amidst profound infrastructural overhauls, their quintessential signatures inextricably remain.