A China-linked threat actor known as UNC6384 has launched a series of cyberattacks targeting diplomats in Southeast Asia and other global entities, according to researchers at Google's Threat Intelligence Group (GTIG).
The attack chain employs social engineering, adversary-in-the-middle (AitM) redirection, and indirect execution techniques to avoid detection. The operation also uses valid code signing certificates, allowing the malware to masquerade as legitimate software.
UNC6384 shares significant tactical overlaps with Mustang Panda, a known Chinese hacking group also tracked as RedDelta, Camaro Dragon, and TEMP.Hex. The attackers hijack web traffic by manipulating captive portal behavior, a mechanism commonly used to redirect users to Wi-Fi login pages. This redirection ultimately delivers a malware downloader known as Staticplugin, disguised as an Adobe plugin update.
The downloaded executable (AdobePlugins.exe) triggers an infection process. It retrieves a second-stage payload via an MSI package, which then side-loads a DLL (dubbed Canonstager) using a legitimate Canon printer tool. This results in the in-memory deployment of a variant of PlugX malware, named SOGU.SEC, which is capable of stealing files, logging keystrokes, and executing remote commands.
PlugX, a malware tool active since at least 2008 and widely attributed to Chinese espionage operations, continues to evolve. Experts suggest ShadowPad may be its successor, signaling an ongoing shift in the arsenal of China-aligned cyber actors.
Staticplugin is signed with a valid digital certificate from Chengdu Nuoxin Times Technology Co., Ltd. The signature has been observed in more than two dozen malware samples since early 2023. How the threat actor obtained the certificates remains unclear.
GTIG researchers believe the AitM redirection is likely occurs via compromised edge devices within target networks. The spoofed update pages use HTTPS with certificates from Let’s Encrypt.