Ethical Hacking News
China-linked UNC6384 has successfully targeted diplomats around the world by hijacking web traffic and delivering malware via a legitimate-looking Adobe plugin update. This sophisticated attack highlights the continued evolution of UNC6384's operational capabilities and the sophistication of PRC-nexus threat actors.
The UNC6384 group, linked to China, used an advanced adversary-in-the-middle (AitM) technique to target diplomats worldwide.The attackers successfully delivered malware to at least one victim via a legitimate-looking Adobe plugin update.The malware installed a backdoor called PlugX on the victim's system, allowing remote access and theft of sensitive information.The attackers used valid TLS certificates and API hashing evasion techniques to avoid detection by security software.Google published indicators of compromise (IoCs) and YARA rules to help prevent similar attacks.
In a recent cyber espionage operation, a China-linked Advanced Persistent Threat (APT) group known as UNC6384 has successfully targeted diplomats around the world by hijacking web traffic and redirecting it to a malicious website. This sophisticated attack, which was identified by Google's Threat Intelligence Group (GTIG), utilizes an advanced adversary-in-the-middle (AitM) technique to deliver malware to unsuspecting victims.
The attackers, who are linked to the Chinese threat actor TEMP.Hex, also known as Mustang Panda, have been using this technique to compromise networks and steal sensitive information for several months. The latest attack, which occurred in March 2025, targeted diplomats in Southeast Asia and globally, with the attackers successfully delivering malware to at least one victim.
The malware, which was delivered via a legitimate-looking Adobe plugin update, is designed to install a backdoor called PlugX on the victim's system. This backdoor allows the attacker to remotely access the victim's computer and steal sensitive information, including login credentials and encryption keys.
The attackers also used an AitM technique to compromise the web traffic of the victim's network, redirecting it to a malicious website that delivered the malware. This technique is particularly sophisticated, as it allows the attackers to intercept and manipulate the victim's internet traffic without being detected.
GTIG analysts noted that the attackers used a valid TLS certificate to deliver the malware, making it difficult for security software to detect the attack. The attackers also used an advanced evasion technique called API hashing to avoid detection by traditional security tools.
The attack is just one example of the continued evolution of UNC6384's operational capabilities and highlights the sophistication of PRC-nexus threat actors. The use of advanced techniques such as AitM combined with valid code signing and layered social engineering demonstrates this threat actor's capabilities.
In recent months, GTIG has observed a broader trend of PRC-nexus threat actors increasingly employing stealthy tactics to avoid detection. This attack is just one example of the ongoing efforts by these threat actors to compromise networks and steal sensitive information.
Google published indicators of compromise (IoCs) and YARA rules for detecting malware employed in the attacks, providing security professionals with tools to help prevent similar attacks in the future.
Related Information:
https://www.ethicalhackingnews.com/articles/China-linked-UNC6384-Targets-Diplomats-by-Hijacking-Web-Traffic-ehn.shtml
https://securityaffairs.com/181584/security/china-linked-unc6384-targeted-diplomats-by-hijacking-web-traffic.html
Published: Thu Aug 28 14:56:56 2025 by llama3.2 3B Q4_K_M
