Ddos 
Google Threat Intelligence Group (GTIG) uncovered a complex, multi-stage cyber-espionage campaign attributed to the PRC-linked threat actor UNC6384. The campaign targeted diplomats in Southeast Asia and other global entities, in what GTIG assesses was “likely in support of cyber espionage operations aligned with the strategic interests of the People’s Republic of China (PRC).”
The operation began with the hijacking of captive portals, a network mechanism that redirects users to a login page before granting internet access. GTIG discovered that UNC6384 exploited this feature to deliver malware disguised as an Adobe plugin update.
The report explains: “The campaign hijacks target web traffic, using a captive portal redirect, to deliver a digitally signed downloader that GTIG tracks as STATICPLUGIN. This ultimately led to the in-memory deployment of the backdoor SOGU.SEC (also known as PlugX).”
Victims were shown a fake update page over HTTPS with a valid TLS certificate, making the site appear legitimate. Once users clicked “Install Missing Plugins,” the site triggered the download of a malicious executable named AdobePlugins.exe, signed with a certificate issued to Chengdu Nuoxin Times Technology Co., Ltd.
The malware delivery involved several layers:
- STATICPLUGIN Downloader – masqueraded as a Microsoft Visual C++ Redistributables installer, signed with a valid GlobalSign certificate, enabling it to bypass endpoint security.
- MSI Package Delivery – retrieved from attacker infrastructure, containing a Canon utility executable, a malicious DLL (CANONSTAGER), and an encrypted payload.
- CANONSTAGER DLL – side-loaded by the Canon executable to decrypt and launch the SOGU.SEC backdoor entirely in memory.
GTIG highlighted how UNC6384’s malware evaded detection: “CANONSTAGER implements a control flow obfuscation technique using custom API hashing and Thread Local Storage (TLS)… execution is triggered indirectly using the Windows message queue.”
At the final stage, the SOGU.SEC backdoor was deployed, enabling system reconnaissance, file upload/download, and a remote command shell. The malware communicated directly with its command-and-control (C2) infrastructure using HTTPS, blending in with normal web traffic.
GTIG noted, “UNC6384 has previously used both payload encryption and callback functions to deploy SOGU.SEC. These techniques are used to hide malicious code, evade detection, obfuscate control flow, and blend in with normal system activity.”
Google attributes this campaign to UNC6384, assessed to have ties with TEMP.Hex (Mustang Panda). Both groups have been observed delivering SOGU.SEC via DLL side-loading, using overlapping infrastructure, and primarily targeting government sectors in Southeast Asia.
As GTIG explains, “This campaign is a clear example of the continued evolution of UNC6384’s operational capabilities and highlights the sophistication of PRC-nexus threat actors.”
Related Posts:
- iOS 26 Unveils “Captive Assist”: Seamless Public Wi-Fi Login Across All Your Apple Devices
- Google: Zero-Day Exploits Shift from Browsers to Enterprise Security Tools in 2024
- WPA3 Security Cracked? Researchers Bypass Advanced Encryption with Social Engineering
- Israel uses Pegasus spyware to track hostages in Gaza
- iOS 26 Unveils New Wi-Fi Sync: Auto-Login for Public Networks Across All Your Apple Devices
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
