PlugX/SOGU.SEC in-memory deployment via STATICPLUGIN
Malware Activity
Summary
Hide ▲
Show ▼
UNC6384 used September-October 2025 spear-phishing to target European diplomatic and government entities in Hungary, Belgium, Italy, the Netherlands, and Serbia with malicious LNK files abusing ZDI-CAN-25373 / CVE-2025-9491. The chain launched PowerShell to unpack a TAR archive, showed a decoy PDF, and used DLL side-loading with CanonStager and a legitimate Canon printer assistant utility to load PlugX from cnmplog.dat. Arctic Wolf also reported an early-September HTA variant that fetched payloads from cloudfront[.]net. The activity extends a PlugX/SOGU.SEC malware delivery pattern tied to UNC6384 and overlaps with tooling associated with Mustang Panda.
Related Happenings
LotusLite backdoor delivered via DLL sideloading
Malware Activity
H score22
First: 21.04.2026 15:00
Last: 21.04.2026 15:00
Sources 1
About this happening:
The **Mustang Panda** malware activity now includes **June 12–22, 2026** compromises against **Indian government** and **hydropower** targets, where the group abused **Zoho WorkDr...
LotusLite backdoor delivered via DLL sideloading
Malware ActivityAbout this happening: The **Mustang Panda** malware activity now includes **June 12–22, 2026** compromises against **Indian government** and **hydropower** targets, where the group abused **Zoho WorkDr...
Latest development: 29.06.2026 18:03
Acronis observed Mustang Panda campaigns against Indian government and hydropower targets using SHARDLOADER, MINIRECON, and ZOHOMURK, with Zoho WorkDrive abused as a command-and-control and exfiltration channel. The activity involved spear-phishing ZIP archives, DLL sideloading through signed binaries such as Solid PDF Creator and Citrix Receiver, and active beaconing from June 12 to June 22, 2026; Acronis also found active compromises inside Indian government networks and worked with CERT-In on notification and cleanup.
Microsoft silently patches in Windows LNK files remote code execution flaw (CVE-2025-9491)
Vulnerability
H score32
First: 12.02.2026 23:01
Last: 12.02.2026 23:01
Sources 1
How related:
It's officially tracked as CVE-2025-9491 (CVSS score: 7.0)
About this happening:
**Windows LNK shortcut files** remain the focus of this vulnerability thread: **CVE-2025-9491** / **ZDI-CAN-25373** is being used in **September-October 2025** spear-phishing atta...
Microsoft silently patches in Windows LNK files remote code execution flaw (CVE-2025-9491)
VulnerabilityHow related: It's officially tracked as CVE-2025-9491 (CVSS score: 7.0)
About this happening: **Windows LNK shortcut files** remain the focus of this vulnerability thread: **CVE-2025-9491** / **ZDI-CAN-25373** is being used in **September-October 2025** spear-phishing atta...
Mustang Panda PlugX DOPLUGS deployment chain for persistent access
Malware Activity
H score26
First: 04.02.2026 16:09
Last: 04.02.2026 16:09
Sources 1
About this happening:
**Mustang Panda (TA416)** used **malicious ZIP/LNK chains** to deliver its custom **PlugX/DOPLUGS** payload and maintain **persistent access** on compromised hosts. The activity t...
Mustang Panda PlugX DOPLUGS deployment chain for persistent access
Malware ActivityAbout this happening: **Mustang Panda (TA416)** used **malicious ZIP/LNK chains** to deliver its custom **PlugX/DOPLUGS** payload and maintain **persistent access** on compromised hosts. The activity t...
WinRAR path-traversal exploitation wave (CVE-2025-8088)
Exploitation Wave
H score20
First: 27.01.2026 21:38
Last: 27.01.2026 21:38
Sources 1
About this happening:
**CVE-2025-8088** in **WinRAR** remains an **ongoing exploitation wave**. **Trend Micro** says **Russia-aligned groups** **Earth Dahu (Gamaredon)** and **SHADOW-EARTH-066 (UAC-022...
WinRAR path-traversal exploitation wave (CVE-2025-8088)
Exploitation WaveAbout this happening: **CVE-2025-8088** in **WinRAR** remains an **ongoing exploitation wave**. **Trend Micro** says **Russia-aligned groups** **Earth Dahu (Gamaredon)** and **SHADOW-EARTH-066 (UAC-022...
WinRAR path traversal via Alternate Data Streams (CVE-2025-8088)
Vulnerability
H score21
First: 27.01.2026 21:38
Last: 27.01.2026 21:38
Sources 1
About this happening:
The **CVE-2025-8088** **WinRAR** path traversal flaw is being **actively exploited** through **Alternate Data Streams (ADS)** to write malicious files outside the extraction direc...
WinRAR path traversal via Alternate Data Streams (CVE-2025-8088)
VulnerabilityAbout this happening: The **CVE-2025-8088** **WinRAR** path traversal flaw is being **actively exploited** through **Alternate Data Streams (ADS)** to write malicious files outside the extraction direc...
Timeline
-
31.10.2025 15:57 1 articles · 8mo ago
UNC6384 targets European diplomatic and government entities with CVE-2025-9491 LNK files
Campaign Scope UpdateArctic Wolf said UNC6384 targeted diplomatic organizations in Hungary, Belgium, Italy, and the Netherlands, along with government agencies in Serbia, with spear-phishing emails that delivered malicious LNK files abusing ZDI-CAN-25373/CVE-2025-9491. The chain launched PowerShell to decode and extract a TAR archive, displayed a decoy PDF, sideloaded CanonStager through a legitimate Canon printer assistant utility, and loaded the encrypted PlugX payload cnmplog.dat; an early-September HTA variant also retrieved payloads from cloudfront[.]net.
Show sources
- China-Linked Hackers Exploit Windows Shortcut Flaw to Target European Diplomats — thehackernews.com — 31.10.2025 15:57
-
25.08.2025 21:11 1 articles · 10mo ago
UNC6384 PlugX delivery chain disclosed
Initial DisclosureGoogle Threat Intelligence Group disclosed that the China-nexus actor UNC6384 targeted diplomats in Southeast Asia and other entities globally in a March 2025 campaign that used a captive portal hijack, adversary-in-the-middle redirection, and social engineering to deliver the signed downloader STATICPLUGIN from mediareleaseupdates[.]com, retrieve an MSI package, and use CANONSTAGER with cnmpaui.dll and the Canon IJ Printer Assistant Tool to load the PlugX variant SOGU.SEC in memory behind a fake Adobe Plugin update.
Show sources
- UNC6384 Deploys PlugX via Captive Portal Hijacks and Valid Certificates Targeting Diplomats — thehackernews.com — 25.08.2025 21:11