The Reveal Platform
Intel Name: How rainyday, turian and a new plugx variant abuse dll search order hijacking
Date of Scan: September 25, 2025
Impact: High
Summary: Our team identified an ongoing campaign, active since 2022, targeting telecommunications and manufacturing sectors in Central and South Asia, delivering a new PlugX variant. This variant shares features with both RainyDay and Turian backdoors, including DLL sideloading via legitimate apps and the XOR-RC4-RtlDecompressBuffer encryption technique. Its configuration deviates from standard PlugX formats, instead aligning with RainyDay’s structure. This similarity supports a medium-confidence assessment linking the variant to the Naikon threat group. Further analysis of victimology and technical overlap suggests Naikon and BackdoorDiplomacy may be the same group or using tools from a common source.
