PlugX Meeting Invitation via MSBuild and GDATA

LAB52 analyzes a PlugX (Korplug) campaign that used a spear-phishing "Meeting Invitation" lure and a weaponized .csproj executed via MSBuild/LOL BINARY to download a legitimate G DATA AVK.exe and a malicious Avk.dll which is DLL-sideloaded to decrypt and inject an AVKTray.dat payload; the report documents XOR/RC4 keys, API-hashing algorithms, C2 domains (decoraat.net / onedow.gesecole.net), persistence via a Run registry key, and provides file and decrypted IOCs and hashes to support detection and response.