It's extremely rare that security companies are able to put a name and a face to specific pieces of malware so the connection it stumbled upon when researching PlugX could attract some attention.

, the company started noticing similarities in some of the software's debug paths.

Searching for similar debug paths in the User folder, the firm noticed the same 'whg' subfolder in a program called SockMon distributed from a named domain connected to a company, Chinansl.com Technology Ltd that had published security vulnerabilities in the past.

The domain contact info turned out to be for a Chengdu-located security company. 'Whg' turned out to work for the company with references to which described him as "Virus expert. Pro?cient in assembly."

"At this point you can be thinking we cannot accuse whg of being related to the Xplug RAT and the targeted campaigns just for a couple of debug paths inside the binary, can we?," AlienVault said.