UNC6384 captive-portal PlugX delivery campaign targeting diplomats
Campaign
Summary
Hide ▲
Show ▼
The UNC6384 campaign used a captive portal redirect and valid code signing to deliver STATICPLUGIN, extending a March 2025 operation against diplomats in Southeast Asia and other entities globally. The attackers used adversary-in-the-middle (AitM) redirection and social engineering to push a fake Adobe Plugin update. The loader then staged the SOGU.SEC PlugX backdoor through DLL sideloading. The operation matters because it combines trusted certificates, hijacked web traffic, and layered execution to enable covert access and evade detection.
Related Happenings
RomCom SocGholish delivery chain for Mythic Agent
Malware Activity
First: 26.11.2025 10:28
Last: 26.11.2025 10:28
Sources 1
About this happening:
The **RomCom** malware family was newly observed being delivered through **SocGholish/FakeUpdates**, adding a fresh infection path that can push multiple payloads and increase pos...
RomCom SocGholish delivery chain for Mythic Agent
Malware ActivityAbout this happening: The **RomCom** malware family was newly observed being delivered through **SocGholish/FakeUpdates**, adding a fresh infection path that can push multiple payloads and increase pos...
RomCom campaign expands across multiple victims
Campaign
First: 26.11.2025 10:28
Last: 26.11.2025 10:28
Sources 1
About this happening:
The **RomCom** operation used **SocGholish/FakeUpdates** fake browser-update lures on **compromised websites** to deliver malware, extending a reusable initial-access chain that c...
RomCom campaign expands across multiple victims
CampaignAbout this happening: The **RomCom** operation used **SocGholish/FakeUpdates** fake browser-update lures on **compromised websites** to deliver malware, extending a reusable initial-access chain that c...
BADAUDIO first-stage downloader activity
Malware Activity
First: 21.11.2025 12:42
Last: 21.11.2025 12:42
Sources 1
About this happening:
The **BADAUDIO** malware is now documented as a **first-stage downloader** that can **decrypt and execute AES-encrypted payloads** from a hard-coded **C2 server**, increasing the...
BADAUDIO first-stage downloader activity
Malware ActivityAbout this happening: The **BADAUDIO** malware is now documented as a **first-stage downloader** that can **decrypt and execute AES-encrypted payloads** from a hard-coded **C2 server**, increasing the...
UNC6384 European diplomatic espionage campaign
Campaign
First: 31.10.2025 14:10
Last: 31.10.2025 14:10
Sources 1
About this happening:
A **UNC6384** cyber espionage campaign targeted **European diplomatic entities** in **Hungary**, **Belgium**, and other European nations, widening the group's intelligence-collect...
UNC6384 European diplomatic espionage campaign
CampaignAbout this happening: A **UNC6384** cyber espionage campaign targeted **European diplomatic entities** in **Hungary**, **Belgium**, and other European nations, widening the group's intelligence-collect...
PlugX DLL sideloading campaign targeting Central and South Asian telecom and manufacturing sectors
Campaign
First: 27.09.2025 15:06
Last: 27.09.2025 15:06
Sources 1
About this happening:
**PlugX** is being distributed in an **ongoing campaign** that is targeting **telecommunications and manufacturing sectors** across **Central and South Asian countries**, raising...
PlugX DLL sideloading campaign targeting Central and South Asian telecom and manufacturing sectors
CampaignAbout this happening: **PlugX** is being distributed in an **ongoing campaign** that is targeting **telecommunications and manufacturing sectors** across **Central and South Asian countries**, raising...
Timeline
-
25.08.2025 21:11 1 articles · 9mo ago
Initial report: UNC6384 captive-portal PlugX delivery campaign targeting diplomats
Initial DisclosureThe initial phase began when browser traffic was redirected through a **captive portal hijack** to a fake update page. That redirect delivered **STATICPLUGIN**, which started the loader chain that ultimately deployed **SOGU.SEC**.
Show sources
- UNC6384 Deploys PlugX via Captive Portal Hijacks and Valid Certificates Targeting Diplomats — thehackernews.com — 25.08.2025 21:11