UNC6384 captive-portal PlugX delivery campaign targeting diplomats
Campaign
Summary
Hide ▲
Show ▼
The UNC6384 campaign used a captive portal redirect and valid code signing to deliver STATICPLUGIN, extending a March 2025 operation against diplomats in Southeast Asia and other entities globally. The attackers used adversary-in-the-middle (AitM) redirection and social engineering to push a fake Adobe Plugin update. The loader then staged the SOGU.SEC PlugX backdoor through DLL sideloading. The operation matters because it combines trusted certificates, hijacked web traffic, and layered execution to enable covert access and evade detection.
Related Happenings
LotusLite backdoor delivered via DLL sideloading
Malware Activity
H score22
First: 21.04.2026 15:00
Last: 21.04.2026 15:00
Sources 1
About this happening:
The **Mustang Panda** malware activity now includes **June 12–22, 2026** compromises against **Indian government** and **hydropower** targets, where the group abused **Zoho WorkDr...
LotusLite backdoor delivered via DLL sideloading
Malware ActivityAbout this happening: The **Mustang Panda** malware activity now includes **June 12–22, 2026** compromises against **Indian government** and **hydropower** targets, where the group abused **Zoho WorkDr...
Latest development: 29.06.2026 18:03
Acronis observed Mustang Panda campaigns against Indian government and hydropower targets using SHARDLOADER, MINIRECON, and ZOHOMURK, with Zoho WorkDrive abused as a command-and-control and exfiltration channel. The activity involved spear-phishing ZIP archives, DLL sideloading through signed binaries such as Solid PDF Creator and Citrix Receiver, and active beaconing from June 12 to June 22, 2026; Acronis also found active compromises inside Indian government networks and worked with CERT-In on notification and cleanup.
RomCom SocGholish delivery chain for Mythic Agent
Malware Activity
H score24
First: 26.11.2025 10:28
Last: 26.11.2025 10:28
Sources 1
About this happening:
The **RomCom** malware family was newly observed being delivered through **SocGholish/FakeUpdates**, adding a fresh infection path that can push multiple payloads and increase pos...
RomCom SocGholish delivery chain for Mythic Agent
Malware ActivityAbout this happening: The **RomCom** malware family was newly observed being delivered through **SocGholish/FakeUpdates**, adding a fresh infection path that can push multiple payloads and increase pos...
RomCom campaign expands across multiple victims
Campaign
H score34
First: 26.11.2025 10:28
Last: 26.11.2025 10:28
Sources 1
About this happening:
The **RomCom** operation used **SocGholish/FakeUpdates** fake browser-update lures on **compromised websites** to deliver malware, extending a reusable initial-access chain that c...
RomCom campaign expands across multiple victims
CampaignAbout this happening: The **RomCom** operation used **SocGholish/FakeUpdates** fake browser-update lures on **compromised websites** to deliver malware, extending a reusable initial-access chain that c...
BADAUDIO first-stage downloader activity
Malware Activity
H score43
First: 21.11.2025 12:42
Last: 21.11.2025 12:42
Sources 1
About this happening:
The **BADAUDIO** malware is now documented as a **first-stage downloader** that can **decrypt and execute AES-encrypted payloads** from a hard-coded **C2 server**, increasing the...
BADAUDIO first-stage downloader activity
Malware ActivityAbout this happening: The **BADAUDIO** malware is now documented as a **first-stage downloader** that can **decrypt and execute AES-encrypted payloads** from a hard-coded **C2 server**, increasing the...
UNC6384 European diplomatic espionage campaign
Campaign
H score32
First: 31.10.2025 14:10
Last: 31.10.2025 14:10
Sources 1
About this happening:
A **UNC6384** cyber espionage campaign targeted **European diplomatic entities** in **Hungary**, **Belgium**, and other European nations, widening the group's intelligence-collect...
UNC6384 European diplomatic espionage campaign
CampaignAbout this happening: A **UNC6384** cyber espionage campaign targeted **European diplomatic entities** in **Hungary**, **Belgium**, and other European nations, widening the group's intelligence-collect...
Timeline
-
25.08.2025 21:11 1 articles · 10mo ago
Initial report: UNC6384 captive-portal PlugX delivery campaign targeting diplomats
Initial DisclosureThe initial phase began when browser traffic was redirected through a **captive portal hijack** to a fake update page. That redirect delivered **STATICPLUGIN**, which started the loader chain that ultimately deployed **SOGU.SEC**.
Show sources
- UNC6384 Deploys PlugX via Captive Portal Hijacks and Valid Certificates Targeting Diplomats — thehackernews.com — 25.08.2025 21:11