UNC6384 Deploys PlugX via Captive Portal Hijacks and Valid Certificates Targeting Diplomats
Summary
Hide β²
Show βΌ
A China-nexus threat actor, UNC6384, has been targeting diplomats in Southeast Asia and other entities globally. The campaign, detected in March 2025, uses a multi-stage attack chain involving advanced social engineering, valid code signing certificates, adversary-in-the-middle (AitM) attacks, and indirect execution techniques to deploy the PlugX (SOGU) backdoor. The attacks leverage captive portal redirects and valid TLS certificates to evade detection and deceive targets into downloading malware disguised as software updates. The threat actor shares tactical and tooling overlaps with Mustang Panda, a known Chinese hacking group. The campaign highlights the sophistication of PRC-nexus threat actors and their evolving operational capabilities. The campaign targeted around two dozen victims, primarily Southeast Asian diplomats, between March and July 2025. The attack chain involves intercepting captive portal checks via compromised edge devices and uses a valid TLS certificate issued by Let's Encrypt to avoid browser security warnings. The STATICPLUGIN downloader is signed by Chengdu Nuoxin Times Technology Co. Ltd., which has signed at least 25 known malware samples since January 2023. The CANONSTAGER launcher uses unconventional techniques such as API hashing, TLS array usage, and executing code with window procedures and message queues to hide its activities.
Timeline
-
25.08.2025 21:11 π° 2 articles
UNC6384 Deploys PlugX via Captive Portal Hijacks and Valid Certificates
A China-nexus threat actor, UNC6384, has been targeting diplomats in Southeast Asia and other entities globally. The campaign, detected in March 2025, uses a multi-stage attack chain involving advanced social engineering, valid code signing certificates, adversary-in-the-middle (AitM) attacks, and indirect execution techniques to deploy the PlugX (SOGU) backdoor. The attacks leverage captive portal redirects and valid TLS certificates to evade detection and deceive targets into downloading malware disguised as software updates. The threat actor shares tactical and tooling overlaps with Mustang Panda, a known Chinese hacking group. The campaign highlights the sophistication of PRC-nexus threat actors and their evolving operational capabilities. The campaign targeted around two dozen victims, primarily Southeast Asian diplomats, between March and July 2025. The attack chain involves intercepting captive portal checks via compromised edge devices and uses a valid TLS certificate issued by Let's Encrypt to avoid browser security warnings. The STATICPLUGIN downloader is signed by Chengdu Nuoxin Times Technology Co. Ltd., which has signed at least 25 known malware samples since January 2023. The CANONSTAGER launcher uses unconventional techniques such as API hashing, TLS array usage, and executing code with window procedures and message queues to hide its activities.
Show sources
- UNC6384 Deploys PlugX via Captive Portal Hijacks and Valid Certificates Targeting Diplomats β thehackernews.com β 25.08.2025 21:11
- China Hijacks Captive Portals to Spy on Asian Diplomats β www.darkreading.com β 27.08.2025 22:31
Information Snippets
-
UNC6384 targets diplomats and other entities in Southeast Asia and globally.
First reported: 25.08.2025 21:11π° 2 sources, 2 articlesShow sources
- UNC6384 Deploys PlugX via Captive Portal Hijacks and Valid Certificates Targeting Diplomats β thehackernews.com β 25.08.2025 21:11
- China Hijacks Captive Portals to Spy on Asian Diplomats β www.darkreading.com β 27.08.2025 22:31
-
The campaign uses a multi-stage attack chain involving social engineering, AitM attacks, and indirect execution techniques.
First reported: 25.08.2025 21:11π° 2 sources, 2 articlesShow sources
- UNC6384 Deploys PlugX via Captive Portal Hijacks and Valid Certificates Targeting Diplomats β thehackernews.com β 25.08.2025 21:11
- China Hijacks Captive Portals to Spy on Asian Diplomats β www.darkreading.com β 27.08.2025 22:31
-
The attack chain includes a captive portal redirect to hijack web traffic and deliver a digitally signed downloader called STATICPLUGIN.
First reported: 25.08.2025 21:11π° 2 sources, 2 articlesShow sources
- UNC6384 Deploys PlugX via Captive Portal Hijacks and Valid Certificates Targeting Diplomats β thehackernews.com β 25.08.2025 21:11
- China Hijacks Captive Portals to Spy on Asian Diplomats β www.darkreading.com β 27.08.2025 22:31
-
STATICPLUGIN deploys the SOGU.SEC variant of the PlugX backdoor in memory.
First reported: 25.08.2025 21:11π° 2 sources, 2 articlesShow sources
- UNC6384 Deploys PlugX via Captive Portal Hijacks and Valid Certificates Targeting Diplomats β thehackernews.com β 25.08.2025 21:11
- China Hijacks Captive Portals to Spy on Asian Diplomats β www.darkreading.com β 27.08.2025 22:31
-
PlugX supports commands to exfiltrate files, log keystrokes, launch remote shells, and upload/download files.
First reported: 25.08.2025 21:11π° 2 sources, 2 articlesShow sources
- UNC6384 Deploys PlugX via Captive Portal Hijacks and Valid Certificates Targeting Diplomats β thehackernews.com β 25.08.2025 21:11
- China Hijacks Captive Portals to Spy on Asian Diplomats β www.darkreading.com β 27.08.2025 22:31
-
The malware is often launched via DLL side-loading and spread through USB drives, phishing emails, or compromised software downloads.
First reported: 25.08.2025 21:11π° 2 sources, 2 articlesShow sources
- UNC6384 Deploys PlugX via Captive Portal Hijacks and Valid Certificates Targeting Diplomats β thehackernews.com β 25.08.2025 21:11
- China Hijacks Captive Portals to Spy on Asian Diplomats β www.darkreading.com β 27.08.2025 22:31
-
The campaign uses a captive portal hijack to deliver malware disguised as an Adobe Plugin update.
First reported: 25.08.2025 21:11π° 2 sources, 2 articlesShow sources
- UNC6384 Deploys PlugX via Captive Portal Hijacks and Valid Certificates Targeting Diplomats β thehackernews.com β 25.08.2025 21:11
- China Hijacks Captive Portals to Spy on Asian Diplomats β www.darkreading.com β 27.08.2025 22:31
-
The landing web page resembles a legitimate software update site and uses a valid TLS certificate issued by Let's Encrypt.
First reported: 25.08.2025 21:11π° 2 sources, 2 articlesShow sources
- UNC6384 Deploys PlugX via Captive Portal Hijacks and Valid Certificates Targeting Diplomats β thehackernews.com β 25.08.2025 21:11
- China Hijacks Captive Portals to Spy on Asian Diplomats β www.darkreading.com β 27.08.2025 22:31
-
The STATICPLUGIN downloader is signed by Chengdu Nuoxin Times Technology Co., Ltd with a valid certificate issued by GlobalSign.
First reported: 25.08.2025 21:11π° 2 sources, 2 articlesShow sources
- UNC6384 Deploys PlugX via Captive Portal Hijacks and Valid Certificates Targeting Diplomats β thehackernews.com β 25.08.2025 21:11
- China Hijacks Captive Portals to Spy on Asian Diplomats β www.darkreading.com β 27.08.2025 22:31
-
UNC6384 shares tactical and tooling overlaps with Mustang Panda, a known Chinese hacking group.
First reported: 25.08.2025 21:11π° 2 sources, 2 articlesShow sources
- UNC6384 Deploys PlugX via Captive Portal Hijacks and Valid Certificates Targeting Diplomats β thehackernews.com β 25.08.2025 21:11
- China Hijacks Captive Portals to Spy on Asian Diplomats β www.darkreading.com β 27.08.2025 22:31
Similar Happenings
APT41 Targets U.S. Trade Officials in Cyber Espionage Campaign
The House Select Committee on China has issued a warning about ongoing cyber espionage campaigns by China-linked APT41 targeting U.S. trade officials and related organizations. The attacks involve phishing emails impersonating U.S. officials to steal sensitive information. The campaign coincides with contentious U.S.-China trade negotiations. The threat actors exploit software and cloud services to cover their tracks. The attacks aim to steal valuable data and gain unauthorized access to systems. The committee has noted similar tactics used in previous campaigns, including a January 2025 spear-phishing attempt targeting committee staffers. The FBI is investigating the ongoing cyber espionage campaign. APT41 has been known to conduct financially motivated activities in addition to state-sponsored espionage. The group has targeted various sectors, including logistics, utilities, healthcare, high-tech, and telecommunications. The committee recommends user awareness phishing training, mandatory multifactor authentication, FIDO keys, and appropriate email gateway and endpoint security tools to mitigate such attacks.
Axios Abuse and Salty 2FA Kits in Microsoft 365 Phishing Campaigns
Threat actors are leveraging HTTP client tools like Axios and Microsoft's Direct Send feature to execute advanced phishing campaigns targeting Microsoft 365 environments. These campaigns have demonstrated a 70% success rate, bypassing traditional security defenses and exploiting authentication workflows. The attacks began in July 2025 and have targeted executives and managers in various sectors, including finance, healthcare, and manufacturing. The phishing campaigns use compensation-themed lures to trick recipients into opening malicious PDFs containing QR codes that direct users to fake login pages. Additionally, a phishing-as-a-service (PhaaS) offering called Salty 2FA is being used to steal Microsoft login credentials and bypass multi-factor authentication (MFA). The Salty2FA kit includes advanced features such as subdomain rotation, dynamic corporate branding, and sophisticated evasion tactics to enhance its effectiveness and evade detection. Salty2FA activity began gaining momentum in June 2025, with early traces possibly dating back to MarchβApril 2025. The campaigns have been active since late July 2025 and continue to this day, generating dozens of fresh analysis sessions daily. Salty2FA targets industries including finance, energy, telecom, healthcare, government, logistics, IT consulting, education, construction, chemicals, industrial manufacturing, real estate, consulting, metallurgy, and more.
Kazakhstan's KazMunayGas Phishing Test Mistaken for Noisy Bear Campaign
Kazakhstan's state-owned oil and gas company KazMunayGas conducted a phishing test in May 2025, which was initially misinterpreted as a cyber espionage campaign by a new threat group named Noisy Bear. The test involved phishing emails targeting KazMunayGas employees with fake documents related to internal communications and policy updates. The phishing emails were sent from a compromised internal email address and included a ZIP attachment with a Windows shortcut (LNK) downloader, a decoy document, and a README.txt file with instructions. The campaign was designed to mimic official internal communications and included themes such as policy updates, internal certification procedures, and salary adjustments. The phishing test was conducted to train employees on identifying and responding to phishing attempts. However, it was mistakenly reported as a cyber espionage campaign by Seqrite Labs, which attributed the activity to a new threat group tracked as Noisy Bear. The threat actor was believed to be of Russian origin and had been active since at least April 2025. The misinterpretation led to speculation about the involvement of a new threat group and the use of sophisticated malware, including a PowerShell loader dubbed DOWNSHELL and a DLL-based implant. The threat actor used a compromised email address belonging to a KazMunayGas finance department employee to send phishing emails. The phishing emails impersonated mundane company business, including reviewing work schedules, incentive systems, and wages. The phishing emails contained a ZIP file with a decoy document and a shortcut (LNK) file named "Salary Schedule.lnk." The LNK file downloaded a batch script, which retrieved the attackers' PowerShell loader named DownShell. DownShell consists of two scripts: one for anti-analysis by undermining the Windows Antimalware Scan Interface (AMSI), and another for CreateRemoteThread Injection to establish a reverse shell. Noisy Bear used a sanctioned Russian bulletproof hosting provider, Aeza Group, to maintain its infrastructure. The threat activity carries geopolitical implications, targeting Kazakhstan's largest oil and gas company, which is state-owned and a significant economic entity. Seqrite Labs found infrastructure and tooling overlaps across other Central Asian attacks, indicating a broader campaign. The incident highlights the importance of clear communication and coordination between cybersecurity researchers and organizations to avoid misinterpretations and ensure accurate reporting of cyber threats.
WhatsApp Zero-Day Exploited in Targeted Spyware Campaign
A zero-day vulnerability in WhatsApp (CVE-2025-55177) was exploited in targeted attacks against fewer than 200 users. The flaw allowed unauthorized users to process content from arbitrary URLs on targeted devices. The attacks were sophisticated and involved chaining with a separate Apple vulnerability (CVE-2025-43300) affecting iOS, iPadOS, and macOS. The vulnerability was patched in WhatsApp's messaging apps for Apple iOS and macOS. The exploit could have allowed attackers to trigger the processing of content from arbitrary URLs on a target's device, potentially leading to spyware deployment. The attacks were part of a targeted spyware campaign, with WhatsApp sending in-app threat notifications to affected users. Apple has also sent multiple threat notifications since 2021, alerting users in over 150 countries about these sophisticated attacks. Apple has introduced Memory Integrity Enforcement (MIE) in the latest iPhone models to combat memory corruption vulnerabilities. The spyware market has seen an increase in U.S. investors and new entities in various countries.
TamperedChef Malware Campaign Targets Users via Malvertising
A cybercrime campaign has been identified, using malvertising to deliver a new information stealer called TamperedChef. The malware is disguised as a free PDF editor, AppSuite PDF Editor, and is distributed through fraudulent websites promoted via Google ads. Once installed, TamperedChef steals sensitive data, including credentials and web cookies. The campaign began on June 26, 2025, with malicious capabilities activated on August 21, 2025. The malware operates as a backdoor, supporting various features for data exfiltration and system manipulation. The campaign leverages multiple bogus sites and Google advertising campaigns to distribute the trojanized PDF editor. The malware sets up persistence on the host system and communicates with a command-and-control (C2) server to execute various malicious actions. The campaign's timeline suggests a strategic approach to maximize downloads before activating malicious features. The campaign is part of a larger operation involving multiple apps that can download each other, some of them tricking users into enrolling their system into residential proxies. More than 50 domains have been identified to host deceiving apps signed with fraudulent certificates issued by at least four different companies. The threat actor used at least 5 different Google campaign IDs, suggesting a widespread campaign.