A campaign aimed at organizations in India stretching out over five months is evidence that the PlugX APT group is active and evolving, according to a SophosLabs blog post.

Citing a recent technical paper penned by the company's principal researcher, Gabor Szappanos, the post noted that “PlugX now uses a new backdoor technique – hiding the payload in the Windows registry instead of writing it as a file on disk.”

The backdoor approach “is not unique to PlugX” but it is “uncommon” and found only in “a few relatively sophisticated malware families.” 

The tech paper said “different variants of the PlugX backdoor were observed as the final payload” in the campaign targeting India between September 2014 and February 2015. The new variants were distributed through “two distinguishable classes of exploited carrier documents,” though both used the CVE-2012-0158 vulnerability.