"A China-nexus threat actor known as UNC6384 has been attributed to a set of attacks targeting diplomats in Southeast Asia and other entities across the globe to advance Beijing's strategic interests. "This multi-stage attack chain leverages advanced social engineering including valid code signing certificates, an adversary-in-the-middle (AitM) attack, and indirect execution techniques to evade detection," Google Threat Intelligence Group (GTIG) researcher Patrick Whitsell said."
"The campaign, detected by GTIG in March 2025, is characterized by use of a captive portal redirect to hijack web traffic and deliver a digitally signed downloader called STATICPLUGIN. The downloader then paves the way for the in-memory deployment of a PlugX (aka Korplug or SOGU) variant called SOGU.SEC. PlugX is a backdoor that supports commands to exfiltrate files, log keystrokes, launch a remote command shell, upload/download files, and is able to extend its functionality with additional plugins."
UNC6384 targets diplomats in Southeast Asia and other global entities to advance Beijing's strategic interests. The campaign detected in March 2025 uses captive-portal redirects and an adversary-in-the-middle (AitM) to hijack browser traffic and deliver a digitally signed downloader named STATICPLUGIN from mediareleaseupdates[.]com. STATICPLUGIN enables in-memory deployment of a PlugX variant called SOGU.SEC. PlugX is a long-running backdoor capable of exfiltrating files, logging keystrokes, launching shells, transferring files, and loading additional plugins. Delivery techniques include DLL side-loading, USB propagation, targeted phishing with malicious attachments or links, and compromised software downloads. UNC6384 shows tactical and tooling overlaps with Mustang Panda.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]