Find notable cyber news and cases, enriched with sources, timelines, and signals.

UNC6384 captive-portal PlugX delivery campaign targeting diplomats

Campaign
First reported
Last updated
Happening score
H score 27
1 unique sources, 1 articles

Summary

Hide ▲

The UNC6384 campaign used a captive portal redirect and valid code signing to deliver STATICPLUGIN, extending a March 2025 operation against diplomats in Southeast Asia and other entities globally. The attackers used adversary-in-the-middle (AitM) redirection and social engineering to push a fake Adobe Plugin update. The loader then staged the SOGU.SEC PlugX backdoor through DLL sideloading. The operation matters because it combines trusted certificates, hijacked web traffic, and layered execution to enable covert access and evade detection.

Related Happenings

LotusLite backdoor delivered via DLL sideloading

Malware Activity
H score22 First: 21.04.2026 15:00 Last: 21.04.2026 15:00 Sources 1

About this happening: The **Mustang Panda** malware activity now includes **June 12–22, 2026** compromises against **Indian government** and **hydropower** targets, where the group abused **Zoho WorkDr...

Latest development: 29.06.2026 18:03

Acronis observed Mustang Panda campaigns against Indian government and hydropower targets using SHARDLOADER, MINIRECON, and ZOHOMURK, with Zoho WorkDrive abused as a command-and-control and exfiltration channel. The activity involved spear-phishing ZIP archives, DLL sideloading through signed binaries such as Solid PDF Creator and Citrix Receiver, and active beaconing from June 12 to June 22, 2026; Acronis also found active compromises inside Indian government networks and worked with CERT-In on notification and cleanup.

RomCom SocGholish delivery chain for Mythic Agent

Malware Activity
H score24 First: 26.11.2025 10:28 Last: 26.11.2025 10:28 Sources 1

About this happening: The **RomCom** malware family was newly observed being delivered through **SocGholish/FakeUpdates**, adding a fresh infection path that can push multiple payloads and increase pos...

RomCom campaign expands across multiple victims

Campaign
H score34 First: 26.11.2025 10:28 Last: 26.11.2025 10:28 Sources 1

About this happening: The **RomCom** operation used **SocGholish/FakeUpdates** fake browser-update lures on **compromised websites** to deliver malware, extending a reusable initial-access chain that c...

BADAUDIO first-stage downloader activity

Malware Activity
H score43 First: 21.11.2025 12:42 Last: 21.11.2025 12:42 Sources 1

About this happening: The **BADAUDIO** malware is now documented as a **first-stage downloader** that can **decrypt and execute AES-encrypted payloads** from a hard-coded **C2 server**, increasing the...

UNC6384 European diplomatic espionage campaign

Campaign
H score32 First: 31.10.2025 14:10 Last: 31.10.2025 14:10 Sources 1

About this happening: A **UNC6384** cyber espionage campaign targeted **European diplomatic entities** in **Hungary**, **Belgium**, and other European nations, widening the group's intelligence-collect...

Timeline

  1. 25.08.2025 21:11 1 articles · 10mo ago

    Initial report: UNC6384 captive-portal PlugX delivery campaign targeting diplomats

    Initial Disclosure

    The initial phase began when browser traffic was redirected through a **captive portal hijack** to a fake update page. That redirect delivered **STATICPLUGIN**, which started the loader chain that ultimately deployed **SOGU.SEC**.

    Show sources