Japan Faces Sophisticated PlugX Cyberattack Targeting Shipping and Transportation Networks

Listen to this Post

Featured Image
In April 2025, Japanese cybersecurity firm LAC revealed that a China-based advanced persistent threat (APT) group launched a highly targeted cyberattack against Japanese shipping and transportation companies. The attackers exploited vulnerabilities in Ivanti Connect Secure (ICS) devices, specifically CVE-2024-21893 and CVE-2024-21887, to infiltrate critical networks. Using advanced PlugX malware variants named MetaRAT and Talisman PlugX, the attackers demonstrated a new level of sophistication in stealth, lateral movement, and persistent access. This campaign highlights the growing risk posed by state-linked cyber groups leveraging ICS vulnerabilities to target critical infrastructure.

Summary of the Attack

The attack began with exploitation of Ivanti ICS devices, leaving behind telltale signs such as critical error logs (ERR31093) and malware traces that matched patterns seen in previous Mandiant analyses. Once inside, the attackers harvested credentials, including privileged Active Directory accounts, to move laterally across networks and deploy malware on multiple servers.

MetaRAT, a modern PlugX variant written in C/C++, was central to the attack. It uses DLL side-loading through the loader file mytilus3.dll and an encrypted payload named “materoll” that employs Reflective Loading to inject code directly into memory. The malware implements advanced encryption with AES-256-ECB, API hashing, and anti-debugging techniques that destroy cryptographic keys if analysis is detected. MetaRAT communicates through multiple channels including TCP, HTTPS, and ICMP, disguising its traffic as JavaScript or CSS files and embedding unique identifiers such as “Cookie-Yaga” and “Cookie-Nguy.” Its modular plugins, including KeylogDump and PortMap, allow keylogging, command execution, configuration updates, and port tunneling.

Talisman PlugX, first reported by Trellix in 2022, mirrors MetaRAT’s architecture with DLL side-loading and encrypted payloads, though it maintains distinct header signatures to evade detection. The LAC investigation suggests multiple Chinese state-linked groups—possibly including Space Pirates, Calypso, and RedFoxtrot—were involved, given shared infrastructure and code similarities with RAT families like RainyDay and Turian. While no data theft has been confirmed, the attackers appear focused on credential harvesting, indicating preparation for long-term access.

LAC recommends organizations patch vulnerable ICS systems, monitor artifacts such as VniFile.hlp and the registry key matesile, and deploy YARA, Sigma, and Snort rules to detect MetaRAT activity. The campaign demonstrates both the evolution of PlugX malware and the increasing sophistication of attacks against critical infrastructure.

What Undercode Say:

This incident underscores a critical shift in cyberattacks against industrial networks, where sophisticated APT groups exploit not just software vulnerabilities but also network trust hierarchies. The use of MetaRAT and Talisman PlugX demonstrates a level of persistence and stealth that exceeds traditional ransomware or commodity malware campaigns. DLL side-loading combined with Reflective Loading allows malware to reside entirely in memory, bypassing many signature-based defenses, while the use of multiple C2 channels increases resilience against takedowns.

Credential harvesting as a primary goal suggests these attackers are building long-term access rather than executing immediate destructive operations. Japanese shipping and transportation sectors are particularly vulnerable, given the interconnectivity of ICS systems with operational and enterprise networks. Failure to patch critical ICS vulnerabilities like CVE-2024-21893 and CVE-2024-21887 can allow attackers to pivot deep into corporate systems unnoticed.

The malware’s advanced evasion techniques, including API hashing and anti-debugging measures, reflect a mature, state-sponsored threat model, where detection avoidance is prioritized over immediate data exfiltration. Modular functionality in MetaRAT indicates that future campaigns could expand capabilities to include espionage, sabotage, or ransomware deployment. LAC’s provision of detection rules (YARA, Sigma, Snort) is essential for defensive measures, but proactive monitoring, credential management, and network segmentation remain crucial.

From a broader perspective, this attack illustrates a trend: ICS networks, often thought insulated from global cyber conflicts, are now prime targets for state-linked cyber actors. The combination of advanced malware, strategic targeting, and infrastructure focus shows that maritime and transportation networks are evolving into battlegrounds for geopolitical cyber operations. Organizations must anticipate long-term threats, not just immediate compromise, and implement layered defenses across IT and OT environments.

🔍 Fact Checker Results:

✅ LAC confirmed a targeted APT campaign exploiting Ivanti Connect Secure vulnerabilities.
✅ MetaRAT and Talisman PlugX were used to compromise Japanese shipping networks.
❌ No evidence of confirmed data theft has been reported.

📊 Prediction:

Cyberattacks targeting ICS systems in Japan and Asia will likely increase in sophistication, leveraging memory-resident malware and multi-channel C2 communications. Organizations should expect extended campaigns focusing on credential theft and network persistence, with potential expansion to espionage or ransomware attacks. Proactive patching, enhanced monitoring, and segmentation will be critical to prevent long-term intrusions. 🚢🛡️

If you want, I can also create a more SEO-optimized, clickbait version of this article that could attract higher engagement and Google visibility. Do you want me to do that next?

🕵️‍📝✔️Let’s dive deep and fact‑check.

References:

Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.quora.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2
Bing

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon