A Decade of Reuse: How a 2016 COM Type Library Fingerprints Ten Years of PlugX Operations
PlugX Type II loader masquerades as Tencent QQ VqqSpeedDl.dll — Delphi-compiled, 10-year MIDL reuse, 4 simultaneous sideloading vectors
A DLL uploaded to MalwareBazaar from Russia on March 31, 2026. Its export table lists a function called _RigsterHook@0 -- a misspelling of "Register" that has appeared in PlugX loaders for years. Its COM registration claims to be VqqSpeedDl.dll, a Tencent QQ download accelerator component. Its PE resources contain a MIDL type library generated on May 6, 2016. And its compilation timestamp reads March 16, 2026.
That's a 10-year gap. A type library from the Obama administration embedded in a loader built two weeks ago.
This is the story of a PlugX sideloading loader that connects to the same Mustang Panda campaign we published earlier today -- the Vietnamese corruption lure operation -- and reveals just how deeply this threat actor relies on tooling they built a decade ago.
The Sideloading Triad
PlugX Type II infections use a three-component architecture that has remained structurally identical since at least 2017:
- A legitimate, signed executable that loads a DLL by name via Windows DLL search order
- A malicious DLL (this sample) that matches the expected filename and hijacks execution
- An encrypted .dat file containing the actual PlugX implant, decrypted and injected at runtime
The legitimate executable trusts its own DLL. Windows trusts the legitimate executable. The user sees nothing. This is why DLL sideloading remains one of the most effective initial execution techniques in the APT playbook -- it turns digital trust into a weapon.
In this case, the sideloading host is Tencent QQ, China's ubiquitous messaging platform. The DLL masquerades as VqqSpeedDl.dll, a video download accelerator component. If you're running Tencent QQ and the malicious DLL lands in the right directory, the legitimate application loads it without question.
We did not recover the legitimate executable or the encrypted .dat payload. This analysis is based entirely on the loader DLL -- the middle piece of the triad, and the one that contains all the interesting tradecraft.
Compiled with Delphi. In 2026.
The PE metadata tells an unusual story. The compiler is Embarcadero RAD Studio 29.0 -- the modern incarnation of Delphi and C++ Builder. This is not the typical MSVC or MinGW toolchain that dominates malware development. Delphi-compiled PlugX loaders are a documented Mustang Panda signature, but they remain uncommon enough in the broader threat landscape that the compiler choice itself becomes an attribution signal.
The section layout confirms the Delphi lineage:
| Section | Size | Entropy | Purpose |
|---|---|---|---|
| .text | 1,008,640 | 6.56 | Compiled code (not packed) |
| .data | 35,328 | 5.55 | Global data |
| .tls | 1,024 | 0.00 | Thread-local storage (empty) |
| .rsrc | 27,136 | 4.45 | Resources (COM type library) |
| .reloc | 82,944 | 6.75 | Relocations |
The .text section entropy of 6.56 falls squarely in the range of normal compiled code -- no packing, no encryption of the code section itself. The loader doesn't need to hide. It's designed to be loaded by a trusted process, and by the time any security product examines it, it's already executing inside Tencent QQ's address space.
The export table is where things get interesting.
_RigsterHook: The Typo That Won't Die
Seven exports. Five are standard Delphi runtime functions (__dbk_fcall_wrapper, TMethodImplementationIntercept, and friends). Two are the payload:
| Export | Purpose |
|---|---|
_RigsterHook@0 | Main loader -- triggers payload decryption and injection |
_UnRigsterHook@0 | Cleanup/unhook routine |
That misspelling -- "Rigster" instead of "Register" -- is a known PlugX signature. It has appeared across multiple PlugX variants over the years, preserved through copy-paste inheritance as operators fork and modify the loader source. Nobody fixes the typo because nobody needs to. The legitimate Tencent QQ executable calls the export by name, and the name is defined in the malicious DLL's export table, so the misspelling is self-consistent. It works. And it keeps working. And so a developer's mistake from years ago becomes a forensic fingerprint that links samples across campaigns and build chains.
The 2016 Type Library
Buried in the .rsrc section is a COM type library that stops you cold when you read the generation timestamp:
MIDL Version: 6.00.0366
Generated: Fri May 06 18:17:59 2016
The type library defines an IVqqDownload COM interface with over 50 methods mimicking a legitimate Tencent QQ download manager: Init, CreateTask, StartTask, Read, StartHttp, StopP2P, SetHttpSpeed, AddTorrent. These are copied from the real Tencent QQ SDK -- the malicious DLL needs to expose the same COM interface as the legitimate component it replaces, or the host application won't load it.
But the type library wasn't regenerated for this build. It was generated once, in May 2016, and has been carried forward through every subsequent PlugX build that uses the Tencent QQ sideloading vector. The COM definitions haven't changed because the legitimate Tencent QQ component's interface hasn't changed -- and so the attackers have no reason to regenerate the type library.
This gives us two things:
A timeline anchor. Mustang Panda (or their tooling supplier) first built the Tencent QQ sideloading capability no later than May 2016. That's a decade of operational use from a single COM interface definition.
A unique fingerprint. The COM identifiers are hardcoded:
CLSID: {AF6C6F71-5822-463A-8CA1-EA496D0CA2C7}
TypeLib: {25BD9BB7-33EC-4220-B725-56C470146288}
ProgID: VqqSpeedDl.VqqDownload.1
These values are not random -- they're deterministic outputs of the MIDL compiler based on the interface definition and generation parameters. Any PlugX loader using this same Tencent QQ sideloading template will carry the same CLSID and TypeLib GUID. They function as a build-chain fingerprint that links samples even when everything else -- hashes, C2 infrastructure, imphash -- differs between campaigns.
Search your registry for {AF6C6F71-5822-463A-8CA1-EA496D0CA2C7}. If it's there and you didn't install Tencent QQ, you have a problem.
Inside _RigsterHook: The Execution Chain
When the legitimate Tencent QQ executable loads VqqSpeedDl.dll and calls _RigsterHook@0, the following sequence executes:
Step 1: Am I Running Inside the Right Process?
The loader's first action is paranoia. It calls CreateToolhelp32Snapshot with TH32CS_SNAPPROCESS and walks the entire process list with Process32First / Process32Next, comparing each process name against the expected Tencent QQ executable.
If the parent process isn't what the loader expects, execution stops. This is a sandbox evasion technique -- automated analysis environments that load the DLL directly (via rundll32.exe or a generic harness) will fail this check. The loader only proceeds when it's running inside its intended host. This is why CAPE Sandbox's analysis of this sample shows limited behavioral results -- the DLL recognized it wasn't running inside Tencent QQ and refused to execute its payload.
Step 2: Dynamic API Resolution
Rather than declaring its intentions in the PE import table, the loader resolves critical APIs at runtime:
GetModuleHandleA("kernel32.dll") -> hModule
GetProcAddress(hModule, "CreateProcessA")
GetProcAddress(hModule, "GetModuleFileNameA")
Static analysis tools that rely on import table inspection will see a loader that imports almost nothing dangerous. The actual capabilities -- process creation, code injection -- are invisible until execution. This is a standard PlugX technique, but the implementation here through Delphi's runtime is notably clean.
Step 3: Locate the Payload
GetModuleFileNameA(NULL, buffer, MAX_PATH)
The loader discovers its own filesystem path, strips the extension, and appends .dat. If the DLL is loaded as C:\path\VqqSpeedDl.dll, it looks for C:\path\VqqSpeedDl.dat. The payload and the loader must live in the same directory -- another reason the three-component triad is always delivered as an archive.
Step 4: Registry Check
The loader queries HKEY_CURRENT_USER via RegOpenKeyExW and RegQueryValueExW, checking for configuration data or persistence markers. This step determines whether this is a first execution (requiring full setup) or a subsequent run (where the implant may already be installed).
Step 5: Inject and Execute
CreateProcessA(NULL, "cmd.exe", ..., CREATE_NO_WINDOW, ...)
The loader spawns cmd.exe with the CREATE_NO_WINDOW flag (0x08000000) -- a suspended, invisible command prompt. The decrypted PlugX shellcode is injected into this process. No visible window. No console flash. The implant begins executing inside a process that looks like a routine system binary.
Why cmd.exe instead of the more common explorer.exe or svchost.exe? Because cmd.exe is frequently spawned by legitimate software for scripting tasks. A parent process of Tencent QQ spawning cmd.exe is less anomalous than Tencent QQ spawning svchost.exe. The choice reflects operational awareness of how EDR heuristics evaluate process trees.
The C2: Three Domains, One Cloudflare Account
We cross-referenced this sample against ThreatFox's PlugX IOC database and identified three C2 domains associated with concurrent Mustang Panda operations:
| Domain | Registered | Last Updated | Status |
|---|---|---|---|
| airportcarrentalmiami[.]com | 2025-06-15 | 2026-03-02 | LIVE |
| coastallasercompany[.]com | 2025-06-24 | 2026-03-02 | LIVE |
| doorforum[.]com | 2025-02-03 | 2026-03-17 | LIVE |
All three share the same registrar (NameCheap) and the same Cloudflare nameserver pair: damien.ns.cloudflare.com / thea.ns.cloudflare.com. In Cloudflare's infrastructure, nameserver pairs are assigned per account. These three domains are managed by the same Cloudflare account.
The domain naming follows Mustang Panda's established pattern: plausible American business names. Airport car rental. Coastal laser company. Door forum. Each sounds like a legitimate small business. In a DNS log, they blend into the noise of normal commercial traffic. No threat analyst is going to flag a connection to "coastallasercompany.com" on first glance.
Certificate management tells the story of active maintenance. All three domains received fresh TLS certificates on March 2, 2026 -- coordinated renewal suggesting automated infrastructure management. More significantly, doorforum[.]com carries a wildcard certificate (*.doorforum[.]com), indicating active use of subdomains for C2 rotation. When defenders block doorforum[.]com, the operator spins up update.doorforum[.]com or cdn.doorforum[.]com and keeps operating.
Without the encrypted .dat payload, we cannot confirm which of these domains this specific sample beacons to. But the infrastructure linkage through ThreatFox, combined with the temporal overlap (certificates renewed two weeks before this DLL was compiled), makes the connection operationally significant.
March 2026: A High-Tempo Campaign
This sample does not exist in isolation. Across March 2026, MalwareBazaar received a steady stream of PlugX-related uploads that paint a picture of sustained, multi-vector operations:
| Date | Sample | Vector | Target |
|---|---|---|---|
| Mar 31 | This sample (VqqSpeedDl.dll) | Tencent QQ sideload | Unknown |
| Mar 31 | Cong_ty_Thuan_An.zip | WinRAR SFX + Donut | Vietnam |
| Mar 26 | crashhandler.dll | CrashReporter sideload | Unknown |
| Mar 24 | AAM UpdatesEqn.rar | Adobe Acrobat sideload | Government/Enterprise |
| Mar 19 | OECD energy markets.zip | Document lure | Diplomatic/Policy |
| Mar 17 | Tehran Province energy.zip | Document lure | Iran/Energy sector |
| Mar 9 | GIAY MOI.doc.lnk.msi | MSI dropper | Vietnam Government |
| Mar 7 | Smadav.zip | Antivirus sideload | Indonesia |
Four different sideloading host applications running simultaneously: Tencent QQ, CrashReporter, Adobe Acrobat Updater, and Smadav antivirus. Four different trusted executables, each loading a different malicious DLL, each targeting a different victim profile. This is not a single operator running a single campaign. This is an organized program with parallel workstreams, each using a different delivery mechanism optimized for its target audience.
The geographic spread is equally telling: Vietnam (government invitations, corruption lures), Indonesia (antivirus sideloading), the Middle East (energy policy documents), and diplomatic targets (OECD reports). This matches Mustang Panda's documented operational remit -- Southeast Asia, South Asia, and diplomatic/government entities globally.
The Mustang Panda Vietnam investigation we published today -- the six-layer Donut shellcode injector using a Vietnamese corruption scandal as bait -- shares the same C2 domain cluster. Two completely different loader architectures (Delphi DLL sideloading vs. WinRAR SFX + PowerShell + Donut), deployed the same day, connected by the same infrastructure. The tooling diversifies. The infrastructure stays constant.
Four Build Chains, One Mission
Imphash clustering across recent MalwareBazaar PlugX samples reveals four distinct build chains active simultaneously:
| Imphash | Samples | Period | Vector |
|---|---|---|---|
| 551af7f202e2768c63b16f27eadd2d27 | 1 | Mar 2026 | Tencent QQ (this sample) |
| 200837451ab93f60d17a2df6526cee42 | 4 | Aug 2025 - Jan 2026 | Various (steam_monitor, crashlog) |
| ad418910d838a6276d9c898b9c97ea86 | 1 | Mar 2026 | CrashHandler |
| 1fc5dab6d287ba68c9efde7acf57753d | 1 | Mar 2026 | RBGUIFramework |
This sample's imphash is unique -- it doesn't cluster with any other known PlugX loader. The Delphi compilation via Embarcadero RAD Studio produces a fundamentally different import table structure than the MSVC-compiled loaders that dominate the other clusters. This is either a different build system, a different operator within the Mustang Panda umbrella, or both.
The operational implication: blocking one PlugX variant by imphash catches one build chain. You need coverage across all four to address the full scope of current operations.
Attribution: Mustang Panda -- Medium-High Confidence
Mustang Panda (Earth Preta, Bronze President, TA416, RedDelta, Camaro Dragon, Stately Taurus) is a Chinese state-sponsored espionage group active since at least 2012, with PlugX as their signature tool since 2017. The attribution for this sample rests on seven converging indicators:
-
PlugX is Mustang Panda's calling card. While the source code has leaked and other Chinese APT groups use it (APT10, APT41, Winnti), no other group uses Delphi-compiled PlugX loaders with Tencent QQ sideloading.
-
Tencent QQ VqqSpeedDl.dll sideloading is a documented Mustang Panda TTP. The specific choice of sideloading host narrows the field.
-
Delphi compilation via Embarcadero RAD Studio matches historical Mustang Panda build chains.
-
The 2016 MIDL type library demonstrates tooling continuity consistent with a persistent, state-sponsored operation -- not an opportunistic actor picking up leaked source code.
-
C2 domain naming pattern (American business names via NameCheap) matches prior Mustang Panda infrastructure registration practices.
-
Temporal overlap with at least seven other confirmed or suspected Mustang Panda operations in March 2026.
-
The
_RigsterHookexport typo is a persistent marker across Mustang Panda PlugX variants.
What reduces confidence: PlugX source code availability means other groups could theoretically replicate these patterns. We did not recover the encrypted payload, so direct C2 configuration extraction was not possible. The upload from Russia is atypical for Mustang Panda targeting (though it may reflect the uploader's location rather than the target's). No PDB path or developer artifacts were found in the binary.
Indicators of Compromise
File Hashes
SHA256: 216989f56970e3ea045773224e82b2afe78ed29e49df7d044d5a5992d622d881
MD5: eba8acc9e751d06d0e49093d2a8f5e93
SHA1: 014d05419630657865e5f08a5fb4ebb92351018d
Imphash: 551af7f202e2768c63b16f27eadd2d27
SSDeep: 24576:FDMUAngFozNckjKRbbf+8m3SoQPabMRmt4:bFoR3jKRTWSx6MRmm
TLSH: T170358C2BB245A53EC4AA0A35057BF331953BFB162913CE1B97F0894CDFB61502D3A25B
Network Indicators
airportcarrentalmiami[.]com
coastallasercompany[.]com
doorforum[.]com
Nameserver Pair (Cloudflare Account Linkage)
damien.ns.cloudflare.com
thea.ns.cloudflare.com
COM/Registry Indicators
CLSID: {AF6C6F71-5822-463A-8CA1-EA496D0CA2C7}
TypeLib: {25BD9BB7-33EC-4220-B725-56C470146288}
ProgID: VqqSpeedDl.VqqDownload.1
Behavioral Indicators
DLL filename: VqqSpeedDl.dll / 585276.dll
Export function: _RigsterHook@0
Export function: _UnRigsterHook@0
Spawned process: cmd.exe (CREATE_NO_WINDOW flag, 0x08000000)
Process enum: CreateToolhelp32Snapshot + Process32First/Process32Next
API resolution: GetModuleHandleA("kernel32.dll") + GetProcAddress
Payload file: VqqSpeedDl.dat (same directory as DLL)
MITRE ATT&CK
| Technique | ID | Application |
|---|---|---|
| Phishing Attachment | T1566.001 | RAR/ZIP/MSI/CHM lures with geopolitical themes |
| DLL Side-Loading | T1574.002 | VqqSpeedDl.dll loaded by Tencent QQ executable |
| User Execution | T1204.002 | Victim opens lure document or archive |
| Masquerading | T1036.005 | DLL named after legitimate Tencent QQ component |
| Dynamic API Resolution | T1027.007 | Runtime resolution via GetModuleHandleA + GetProcAddress |
| Process Injection | T1055.012 | CreateProcessA (suspended cmd.exe) + shellcode injection |
| Obfuscated Files | T1027 | Encrypted .dat payload companion file |
| Process Discovery | T1057 | CreateToolhelp32Snapshot for parent process verification |
| COM Hijacking | T1546.015 | CLSID registration as VqqSpeedDl InProcServer32 |
| Web Service | T1102 | Cloudflare-proxied C2 domains |
| Encrypted Channel | T1573 | HTTPS C2 with valid TLS certificates |
| Acquire Infrastructure | T1583.001 | NameCheap domain registration with US business naming |
External References
This sample was identified via MalwareBazaar (reporter: KodaDr, upload origin: Russia) and analyzed by Breakglass Intelligence's GHOST investigation system. The encrypted .dat payload was not recovered, limiting C2 configuration extraction. Infrastructure linkage was established through ThreatFox cross-referencing and WHOIS/DNS analysis. The companion Mustang Panda Vietnam investigation -- a six-layer Donut shellcode injector using a corruption scandal lure -- was published the same day, connecting two distinct loader architectures to the same campaign infrastructure.
Breakglass Intelligence | March 31, 2026