Skip to content


KEYPLUG is a modular backdoor written in C++, with Windows and Linux variants, that has been used by APT41 since at least June 2021.1

Item Value
ID S1051
Associated Names KEYPLUG.LINUX
Version 1.0
Created 12 December 2022
Last Modified 12 December 2022
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols KEYPLUG has the ability to communicate over HTTP and WebSocket Protocol (WSS) for C2.1
enterprise T1140 Deobfuscate/Decode Files or Information KEYPLUG can decode its configuration file to determine C2 protocols.1
enterprise T1573 Encrypted Channel -
enterprise T1573.002 Asymmetric Cryptography KEYPLUG can use TLS-encrypted WebSocket Protocol (WSS) for C2.1
enterprise T1095 Non-Application Layer Protocol
KEYPLUG can use TCP and KCP (KERN Communications Protocol) over UDP for C2 communication.1
enterprise T1027 Obfuscated Files or Information KEYPLUG can use a hardcoded one-byte XOR encoded configuration file.1
enterprise T1090 Proxy KEYPLUG has used Cloudflare CDN associated infrastructure to redirect C2 communications to malicious domains.1
enterprise T1124 System Time Discovery KEYPLUG can obtain the current tick count of an infected computer.1
enterprise T1102 Web Service -
enterprise T1102.001 Dead Drop Resolver The KEYPLUG Windows variant has retrieved C2 addresses from encoded data in posts on tech community forums.1

Groups That Use This Software

ID Name References
G0096 APT41 1