Palo Alto Networks’ Unit 42 found multiple cyber-espionage campaigns that remained unattributed over the years have now been linked to a single threat actor that researchers named PKPLUG. The adversary has been active for at least six years and relies on an assortment of custom-made and publicly available malware. The name comes from the actor using PlugX inside ZIP archives, which are identifiable by the ASCII magic bytes “PK”” in the header. Some of the tools used were observed in campaigns from other attack groups.”
Source: https://www.bleepingcomputer.com/news/security/cyber-spy-group-active-since-2013-now-tied-to-chinese-state-actor/