from Pro@programming.dev to cybersecurity@sh.itjust.works on 26 Aug 12:22
https://programming.dev/post/36349993
cross-posted from: programming.dev/post/36349920
In March 2025, Google Threat Intelligence Group (GTIG) identified a complex, multifaceted campaign attributed to the PRC-nexus threat actor UNC6384. The campaign targeted diplomats in Southeast Asia and other entities globally. GTIG assesses this was likely in support of cyber espionage operations aligned with the strategic interests of the People’s Republic of China (PRC).
The campaign hijacks target web traffic, using a captive portal redirect, to deliver a digitally signed downloader that GTIG tracks as STATICPLUGIN. This ultimately led to the in-memory deployment of the backdoor SOGU.SEC (also known as PlugX). This multi-stage attack chain leverages advanced social engineering including valid code signing certificates, an adversary-in-the-middle (AitM) attack, and indirect execution techniques to evade detection.
This blog post presents our findings and analysis of this espionage campaign, as well as the evolution of the threat actor’s operational capabilities. We examine how the malware is delivered, how the threat actor utilized social engineering and evasion techniques, and technical aspects of the multi-stage malware payloads.
In this campaign, the malware payloads were disguised as either software or plugin updates and delivered through UNC6384 infrastructure using AitM and social engineering tactics. A high level overview of the attack chain:
- The target’s web browser tests if the internet connection is behind a captive portal;
- An AitM redirects the browser to a threat actor controlled website;
- The first stage malware, STATICPLUGIN, is downloaded;
- STATICPLUGIN then retrieves an MSI package from the same website;
- Finally, CANONSTAGER is DLL side-loaded and deploys the SOGU.SEC backdoor.
~Figure 1: Attack chain diagram~
threaded - newest