PlugX/SOGU.SEC in-memory deployment via STATICPLUGIN
Malware Activity
Summary
Hide ▲
Show ▼
UNC6384 used September-October 2025 spear-phishing to target European diplomatic and government entities in Hungary, Belgium, Italy, the Netherlands, and Serbia with malicious LNK files abusing ZDI-CAN-25373 / CVE-2025-9491. The chain launched PowerShell to unpack a TAR archive, showed a decoy PDF, and used DLL side-loading with CanonStager and a legitimate Canon printer assistant utility to load PlugX from cnmplog.dat. Arctic Wolf also reported an early-September HTA variant that fetched payloads from cloudfront[.]net. The activity extends a PlugX/SOGU.SEC malware delivery pattern tied to UNC6384 and overlaps with tooling associated with Mustang Panda.
Related Happenings
Microsoft silently patches in Windows LNK files remote code execution flaw (CVE-2025-9491)
Vulnerability
First: 12.02.2026 23:01
Last: 12.02.2026 23:01
Sources 1
How related:
It's officially tracked as CVE-2025-9491 (CVSS score: 7.0)
About this happening:
**Windows LNK shortcut files** remain the focus of this vulnerability thread: **CVE-2025-9491** / **ZDI-CAN-25373** is being used in **September-October 2025** spear-phishing atta...
Microsoft silently patches in Windows LNK files remote code execution flaw (CVE-2025-9491)
VulnerabilityHow related: It's officially tracked as CVE-2025-9491 (CVSS score: 7.0)
About this happening: **Windows LNK shortcut files** remain the focus of this vulnerability thread: **CVE-2025-9491** / **ZDI-CAN-25373** is being used in **September-October 2025** spear-phishing atta...
Mustang Panda PlugX DOPLUGS deployment chain for persistent access
Malware Activity
First: 04.02.2026 16:09
Last: 04.02.2026 16:09
Sources 1
About this happening:
**Mustang Panda (TA416)** used **malicious ZIP/LNK chains** to deliver its custom **PlugX/DOPLUGS** payload and maintain **persistent access** on compromised hosts. The activity t...
Mustang Panda PlugX DOPLUGS deployment chain for persistent access
Malware ActivityAbout this happening: **Mustang Panda (TA416)** used **malicious ZIP/LNK chains** to deliver its custom **PlugX/DOPLUGS** payload and maintain **persistent access** on compromised hosts. The activity t...
DCRat delivered through PowerShell and MSBuild in PHALT#BLYX
Malware Activity
First: 06.01.2026 14:13
Last: 06.01.2026 14:13
Sources 1
About this happening:
**SHADOW#REACTOR** is a **multi-stage Windows malware campaign** that uses **obfuscated VBS**, **PowerShell**, **wscript.exe**, **MSBuild.exe**, and in-memory loaders to stealthil...
DCRat delivered through PowerShell and MSBuild in PHALT#BLYX
Malware ActivityAbout this happening: **SHADOW#REACTOR** is a **multi-stage Windows malware campaign** that uses **obfuscated VBS**, **PowerShell**, **wscript.exe**, **MSBuild.exe**, and in-memory loaders to stealthil...
UAC-0184 targets Ukrainian military and government entities via Viber-delivered malware
Campaign
First: 05.01.2026 19:56
Last: 05.01.2026 19:56
Sources 1
About this happening:
**UAC-0184** has shifted to **Viber-delivered malware** to target **Ukrainian military and government entities**, extending an active **2025** espionage operation. The initial lur...
UAC-0184 targets Ukrainian military and government entities via Viber-delivered malware
CampaignAbout this happening: **UAC-0184** has shifted to **Viber-delivered malware** to target **Ukrainian military and government entities**, extending an active **2025** espionage operation. The initial lur...
React2Shell exploitation campaign delivering EtherRAT
Campaign
First: 09.12.2025 19:15
Last: 09.12.2025 19:15
Sources 1
About this happening:
The **React2Shell** exploitation campaign now goes beyond initial access, with attackers dropping **EtherRAT** and other post-exploit tooling to keep long-term access. The activit...
React2Shell exploitation campaign delivering EtherRAT
CampaignAbout this happening: The **React2Shell** exploitation campaign now goes beyond initial access, with attackers dropping **EtherRAT** and other post-exploit tooling to keep long-term access. The activit...
Timeline
-
31.10.2025 15:57 1 articles · 6mo ago
UNC6384 targets European diplomatic and government entities with CVE-2025-9491 LNK files
Campaign Scope UpdateArctic Wolf said UNC6384 targeted diplomatic organizations in Hungary, Belgium, Italy, and the Netherlands, along with government agencies in Serbia, with spear-phishing emails that delivered malicious LNK files abusing ZDI-CAN-25373/CVE-2025-9491. The chain launched PowerShell to decode and extract a TAR archive, displayed a decoy PDF, sideloaded CanonStager through a legitimate Canon printer assistant utility, and loaded the encrypted PlugX payload cnmplog.dat; an early-September HTA variant also retrieved payloads from cloudfront[.]net.
Show sources
- China-Linked Hackers Exploit Windows Shortcut Flaw to Target European Diplomats — thehackernews.com — 31.10.2025 15:57
-
25.08.2025 21:11 1 articles · 9mo ago
UNC6384 PlugX delivery chain disclosed
Initial DisclosureGoogle Threat Intelligence Group disclosed that the China-nexus actor UNC6384 targeted diplomats in Southeast Asia and other entities globally in a March 2025 campaign that used a captive portal hijack, adversary-in-the-middle redirection, and social engineering to deliver the signed downloader STATICPLUGIN from mediareleaseupdates[.]com, retrieve an MSI package, and use CANONSTAGER with cnmpaui.dll and the Canon IJ Printer Assistant Tool to load the PlugX variant SOGU.SEC in memory behind a fake Adobe Plugin update.
Show sources
- UNC6384 Deploys PlugX via Captive Portal Hijacks and Valid Certificates Targeting Diplomats — thehackernews.com — 25.08.2025 21:11