A China-nexus threat actor known as UNC6384 has been attributed to a set of attacks targeting diplomats in Southeast Asia and other entities across the globe to advance Beijing’s strategic interests.
“This multi-stage attack chain leverages advanced social engineering including valid code signing certificates, an adversary-in-the-middle (AitM) attack, and indirect execution techniques to evade detection,” Google Threat Intelligence Group (GTIG) researcher Patrick Whitsell said.
UNC6384 is assessed to share tactical and tooling overlaps with a known Chinese hacking group called Mustang Panda, which is also tracked as BASIN, Bronze President, Camaro Dragon, Earth Preta, HoneyMyte, RedDelta, Red Lich, Stately Taurus, TEMP.Hex, and Twill Typhoon.
The campaign, detected by GTIG in March 2025, is characterized by use of a captive portal redirect to hijack web traffic and deliver a digitally signed downloader called STATICPLUGIN. The downloader then paves the way for the in-memory deployment of a PlugX (aka Korplug or SOGU) variant called SOGU.SEC.
PlugX is a backdoor that supports commands to exfiltrate files, log keystrokes, launch a remote command shell, upload/download files, and is able to extend its functionality with additional plugins. Often launched via DLL side-loading, the implant is spread through USB flash drives, targeted phishing emails containing malicious attachments or links, or compromised software downloads.
The malware has existed since at least 2008 and is widely used by Chinese hacking groups. It is believed that ShadowPad is the successor of PlugX.
The UNC6384 attack chain is fairly straightforward in that adversary-in-the-middle (AitM) and social engineering tactics are used to deliver the PlugX malware –
- The target’s web browser tests if the internet connection is behind a captive portal
- An AitM redirects the browser to a threat actor-controlled website
- STATICPLUGIN is downloaded from “mediareleaseupdates[.]com”
- STATICPLUGIN retrieves an MSI package from the same website
- CANONSTAGER is DLL side-loaded and deploys the SOGU.SEC backdoor in memory
The captive portal hijack is used to deliver malware masquerading as an Adobe Plugin update to targeted entities. On the Chrome browser, the captive portal functionality is accomplished by means of a request to a hard-coded URL (“www.gstatic[.]com/generate_204”) that redirects users to a Wi-Fi login page.
While “gstatic[.]com” is a legitimate Google domain used to store JavaScript code, images, and style sheets as a way to enhance performance, Google said the threat actors are likely carrying out an AitM attack to imitate redirection chains from the captive portal page to the threat actor’s landing web page.
It’s assessed that the AitM is facilitated by means of compromised edge devices on the target networks, although the attack vector used to pull this off remains unknown at this stage.
“After being redirected, the threat actor attempts to deceive the target into believing that a software update is needed, and to download the malware disguised as a ‘plugin update,'” GTIG said. “The landing web page resembles a legitimate software update site and uses an HTTPS connection with a valid TLS certificate issued by Let’s Encrypt.”
The end result is the download of an executable named “AdobePlugins.exe” (aka STATICPLUGIN) that, when launched, triggers the SOGU.SEC payload in the background using a DLL referred to as CANONSTAGER (“cnmpaui.dll”) that’s sideloading using the Canon IJ Printer Assistant Tool (“cnmpaui.exe”).
The STATICPLUGIN downloader is signed by Chengdu Nuoxin Times Technology Co., Ltd with a valid certificate issued by GlobalSign. Over two dozen malware samples signed by Chengdu have been put to use by China-nexus activity clusters, with the earliest artifacts dating back to at least January 2023. Exactly how these certificates are obtained by the subscriber is not clear.
“This campaign is a clear example of the continued evolution of UNC6384’s operational capabilities and highlights the sophistication of PRC-nexus threat actors,” Whitsell said. “The use of advanced techniques such as AitM combined with valid code signing and layered social engineering demonstrates this threat actor’s capabilities.”
