VirusTotal called it PlugX. It broke down into an RC4 layer I could crack offline, a ScatterBrain-flavoured shellcode stub, and then a wall: the real implant is sealed with machine-scoped DPAPI, so it only decrypts on the one victim it was built for. Here's everything up to that wall, why the wall is the whole point, and why I think this is closer to ShadowPad than PlugX.
grep -rl "PlugX" ./posts
#PlugX
2 matches
A single XOR'd Canon.dat turned into a campaign map: reversing the CanonStager loader, writing a memory-based config extractor, pulling the related samples, and walking nine builds out to their CloudFlare-fronted C2 origins.