Find notable cyber news and cases, enriched with sources, timelines, and signals.

PlugX/SOGU.SEC in-memory deployment via STATICPLUGIN

Malware Activity
First reported
Last updated
Happening score
H score 28
1 unique sources, 2 articles

Summary

Hide ▲

UNC6384 used September-October 2025 spear-phishing to target European diplomatic and government entities in Hungary, Belgium, Italy, the Netherlands, and Serbia with malicious LNK files abusing ZDI-CAN-25373 / CVE-2025-9491. The chain launched PowerShell to unpack a TAR archive, showed a decoy PDF, and used DLL side-loading with CanonStager and a legitimate Canon printer assistant utility to load PlugX from cnmplog.dat. Arctic Wolf also reported an early-September HTA variant that fetched payloads from cloudfront[.]net. The activity extends a PlugX/SOGU.SEC malware delivery pattern tied to UNC6384 and overlaps with tooling associated with Mustang Panda.

Related Happenings

LotusLite backdoor delivered via DLL sideloading

Malware Activity
H score22 First: 21.04.2026 15:00 Last: 21.04.2026 15:00 Sources 1

About this happening: The **Mustang Panda** malware activity now includes **June 12–22, 2026** compromises against **Indian government** and **hydropower** targets, where the group abused **Zoho WorkDr...

Latest development: 29.06.2026 18:03

Acronis observed Mustang Panda campaigns against Indian government and hydropower targets using SHARDLOADER, MINIRECON, and ZOHOMURK, with Zoho WorkDrive abused as a command-and-control and exfiltration channel. The activity involved spear-phishing ZIP archives, DLL sideloading through signed binaries such as Solid PDF Creator and Citrix Receiver, and active beaconing from June 12 to June 22, 2026; Acronis also found active compromises inside Indian government networks and worked with CERT-In on notification and cleanup.

Microsoft silently patches in Windows LNK files remote code execution flaw (CVE-2025-9491)

Vulnerability
H score32 First: 12.02.2026 23:01 Last: 12.02.2026 23:01 Sources 1

How related: It's officially tracked as CVE-2025-9491 (CVSS score: 7.0)

About this happening: **Windows LNK shortcut files** remain the focus of this vulnerability thread: **CVE-2025-9491** / **ZDI-CAN-25373** is being used in **September-October 2025** spear-phishing atta...

Mustang Panda PlugX DOPLUGS deployment chain for persistent access

Malware Activity
H score26 First: 04.02.2026 16:09 Last: 04.02.2026 16:09 Sources 1

About this happening: **Mustang Panda (TA416)** used **malicious ZIP/LNK chains** to deliver its custom **PlugX/DOPLUGS** payload and maintain **persistent access** on compromised hosts. The activity t...

WinRAR path-traversal exploitation wave (CVE-2025-8088)

Exploitation Wave
H score20 First: 27.01.2026 21:38 Last: 27.01.2026 21:38 Sources 1

About this happening: **CVE-2025-8088** in **WinRAR** remains an **ongoing exploitation wave**. **Trend Micro** says **Russia-aligned groups** **Earth Dahu (Gamaredon)** and **SHADOW-EARTH-066 (UAC-022...

WinRAR path traversal via Alternate Data Streams (CVE-2025-8088)

Vulnerability
H score21 First: 27.01.2026 21:38 Last: 27.01.2026 21:38 Sources 1

About this happening: The **CVE-2025-8088** **WinRAR** path traversal flaw is being **actively exploited** through **Alternate Data Streams (ADS)** to write malicious files outside the extraction direc...

Timeline

  1. 31.10.2025 15:57 1 articles · 8mo ago

    UNC6384 targets European diplomatic and government entities with CVE-2025-9491 LNK files

    Campaign Scope Update

    Arctic Wolf said UNC6384 targeted diplomatic organizations in Hungary, Belgium, Italy, and the Netherlands, along with government agencies in Serbia, with spear-phishing emails that delivered malicious LNK files abusing ZDI-CAN-25373/CVE-2025-9491. The chain launched PowerShell to decode and extract a TAR archive, displayed a decoy PDF, sideloaded CanonStager through a legitimate Canon printer assistant utility, and loaded the encrypted PlugX payload cnmplog.dat; an early-September HTA variant also retrieved payloads from cloudfront[.]net.

    Show sources
  2. 25.08.2025 21:11 1 articles · 10mo ago

    UNC6384 PlugX delivery chain disclosed

    Initial Disclosure

    Google Threat Intelligence Group disclosed that the China-nexus actor UNC6384 targeted diplomats in Southeast Asia and other entities globally in a March 2025 campaign that used a captive portal hijack, adversary-in-the-middle redirection, and social engineering to deliver the signed downloader STATICPLUGIN from mediareleaseupdates[.]com, retrieve an MSI package, and use CANONSTAGER with cnmpaui.dll and the Canon IJ Printer Assistant Tool to load the PlugX variant SOGU.SEC in memory behind a fake Adobe Plugin update.

    Show sources