Ethical Hacking News
A China-nexus threat actor known as UNC6384 has been attributed to a set of attacks targeting diplomats in Southeast Asia and other entities across the globe to advance Beijing's strategic interests. The campaign leverages advanced social engineering including valid code signing certificates, an adversary-in-the-middle (AitM) attack, and indirect execution techniques to evade detection.
UNC6384 is a China-nexus threat actor known for its cunning tactics. The group has been instrumental in deploying the PlugX malware via captive portal hijacks and valid certificates. The attack chain uses advanced social engineering techniques, including valid code signing certificates and adversary-in-the-middle (AitM) attacks. The malware is delivered through a captive portal redirect, which hijacks web traffic and delivers the digitally signed downloader. The downloader triggers the SOGU.SEC payload in the background using a DLL referred to as CANONSTAGER. The malware supports commands to exfiltrate files, log keystrokes, launch a remote command shell, upload/download files, and can extend its functionality with additional plugins. The threat actor exploits compromised edge devices on target networks, although the attack vector used remains unknown. The campaign shares tactical and tooling overlaps with known Chinese hacking groups.
UNC6384, a China-nexus threat actor known for its cunning tactics, has been instrumental in deploying the PlugX malware via captive portal hijacks and valid certificates. This sophisticated campaign aims to advance Beijing's strategic interests by compromising the security of diplomats in Southeast Asia and other entities across the globe.
The UNC6384 attack chain begins with the use of advanced social engineering techniques, including valid code signing certificates, an adversary-in-the-middle (AitM) attack, and indirect execution techniques. The threat actor leverages these tactics to evade detection and deceive its targets into believing that a software update is needed. This download of an executable named "AdobePlugins.exe" (aka STATICPLUGIN), signed by Chengdu Nuoxin Times Technology Co., Ltd with a valid certificate issued by GlobalSign, triggers the SOGU.SEC payload in the background using a DLL referred to as CANONSTAGER ("cnmpaui.dll").
The STATICPLUGIN downloader is delivered through a captive portal redirect, which hijacks web traffic and delivers the digitally signed downloader. The downloader then paves the way for the in-memory deployment of a PlugX (aka Korplug or SOGU) variant called SOGU.SEC. This backdoor supports commands to exfiltrate files, log keystrokes, launch a remote command shell, upload/download files, and can extend its functionality with additional plugins.
The malware has existed since at least 2008 and is widely used by Chinese hacking groups. It is believed that ShadowPad is the successor of PlugX. The UNC6384 attack chain is fairly straightforward in that adversary-in-the-middle (AitM) and social engineering tactics are used to deliver the PlugX malware.
The threat actor exploits compromised edge devices on the target networks, although the attack vector used to pull this off remains unknown at this stage. "This campaign is a clear example of the continued evolution of UNC6384's operational capabilities and highlights the sophistication of PRC-nexus threat actors," said Patrick Whitsell, a Google Threat Intelligence Group researcher.
The use of advanced techniques such as AitM combined with valid code signing and layered social engineering demonstrates this threat actor's capabilities. The campaign is characterized by the use of a captive portal redirect to hijack web traffic and deliver the digitally signed downloader called STATICPLUGIN. The downloader then paves the way for the in-memory deployment of a PlugX (aka Korplug or SOGU) variant called SOGU.SEC.
The threat actor obtains valid certificates through an unknown means, with over two dozen malware samples signed by Chengdu having been used by China-nexus activity clusters since at least January 2023. The UNC6384 attack chain is fairly straightforward in that adversary-in-the-middle (AitM) and social engineering tactics are used to deliver the PlugX malware.
The target's web browser tests if the internet connection is behind a captive portal; an AitM redirects the browser to a threat actor-controlled website; STATICPLUGIN is downloaded from "mediareleaseupdates[.]com"; STATICPLUGIN retrieves an MSI package from the same website; CANONSTAGER is DLL side-loaded and deploys the SOGU.SEC backdoor in memory. The captive portal hijack is used to deliver malware masquerading as an Adobe Plugin update to targeted entities.
While "gstatic[.]com" is a legitimate Google domain used to store JavaScript code, images, and style sheets as a way to enhance performance, Google said the threat actors are likely carrying out an AitM attack to imitate redirection chains from the captive portal page to the threat actor's landing web page. The end result is the download of an executable named "AdobePlugins.exe" (aka STATICPLUGIN) that triggers the SOGU.SEC payload in the background using a DLL referred to as CANONSTAGER ("cnmpaui.dll").
The campaign is assessed to share tactical and tooling overlaps with a known Chinese hacking group called Mustang Panda, which is also tracked as BASIN, Bronze President, Camaro Dragon, Earth Preta, HoneyMyte, RedDelta, Red Lich, Stately Taurus, TEMP.Hex, and Twill Typhoon.
Related Information:
https://www.ethicalhackingnews.com/articles/Uncovers-the-Sinister-Plot-UNC6384s-Captive-Portal-Hijacks-Target-Diplomats-with-PlugX-Malware-ehn.shtml
https://thehackernews.com/2025/08/unc6384-deploys-plugx-via-captive.html
Published: Mon Aug 25 15:19:25 2025 by llama3.2 3B Q4_K_M
