CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

UNC6384 Targets Diplomats with PlugX via Captive Portal Hijacks

First reported
Last updated
2 unique sources, 4 articles

Summary

Hide ▲

UNC6384, a China-nexus threat actor, has been targeting diplomats in Southeast Asia and other entities globally to advance Beijing's strategic interests. The group employs a multi-stage attack chain leveraging advanced social engineering, valid code signing certificates, adversary-in-the-middle (AitM) attacks, and indirect execution techniques to evade detection. The campaign, detected in March 2025, uses captive portal redirections to deliver a PlugX variant called SOGU.SEC. The attacks involve redirecting web traffic through a captive portal to a threat actor-controlled website, downloading a digitally signed downloader (STATICPLUGIN), and deploying the SOGU.SEC backdoor in memory. The malware supports commands to exfiltrate files, log keystrokes, and launch remote command shells. The campaign highlights the sophistication of PRC-nexus threat actors and their evolving operational capabilities. In a new development, a campaign targeting U.S. government and policy entities has been attributed with moderate confidence to Mustang Panda. This campaign uses Venezuela-themed spear phishing to deliver the LOTUSLITE backdoor, a bespoke C++ implant that communicates with a hard-coded command-and-control (C2) server using Windows WinHTTP APIs. The backdoor supports commands for remote CMD shell, file enumeration, file creation, data exfiltration, and beacon status checks, and establishes persistence by making Windows Registry modifications.

Timeline

  1. 16.01.2026 12:27 1 articles · 23h ago

    Mustang Panda Targets U.S. Entities with LOTUSLITE Backdoor

    A new campaign targets U.S. government and policy entities using Venezuela-themed spear phishing to deliver the LOTUSLITE backdoor. The LOTUSLITE backdoor is a bespoke C++ implant that communicates with a hard-coded command-and-control (C2) server using Windows WinHTTP APIs. The backdoor supports commands for remote CMD shell, file enumeration, file creation, data exfiltration, and beacon status checks, and establishes persistence by making Windows Registry modifications.

    Show sources
    Open in new tab
  2. 27.09.2025 15:06 2 articles · 3mo ago

    PlugX Variant Linked to Mustang Panda and Bookworm Malware

    The new PlugX variant overlaps with RainyDay and Turian backdoors in its use of legitimate applications for DLL side-loading, encryption/decryption algorithms, and RC4 keys. The PlugX variant uses a configuration structure similar to RainyDay, associated with Lotus Panda (Naikon APT). The campaign targets telecommunications and manufacturing sectors in Central and South Asia. The attack chains involve abusing a legitimate executable associated with Mobile Popup Application to sideload a malicious DLL for payload execution. The PlugX variant includes an embedded keylogger plugin. The campaign is linked to Mustang Panda, which also uses Bookworm malware. Bookworm malware has been used since 2015 and includes capabilities to execute commands, upload/download files, exfiltrate data, and establish persistent access. Bookworm utilizes legitimate-looking domains or compromised infrastructure for C2 purposes. Bookworm variants share overlaps with TONESHELL, another backdoor associated with Mustang Panda. Bookworm employs a modular architecture that makes static analysis challenging.

    Show sources
    Open in new tab
  3. 25.08.2025 21:11 4 articles · 4mo ago

    UNC6384 Deploys PlugX via Captive Portal Hijacks Targeting Diplomats

    The campaign targeted around two dozen victims, primarily Southeast Asian diplomats, between March and July 2025. The attack chain involved compromised edge devices intercepting captive portal checks and redirecting users to a malicious website. The malicious website used a valid TLS/SSL certificate issued by Let's Encrypt to avoid browser security warnings. The first-stage malware, STATICPLUGIN, dropped a launcher called CANONSTAGER, which used unconventional techniques to hide its activities. The final payload was a variant of the PlugX backdoor, tracked by Google as SOGU.SEC. The new PlugX variant overlaps with RainyDay and Turian backdoors, targeting telecommunications and manufacturing sectors in Central and South Asia. The campaign is linked to Mustang Panda, which also uses Bookworm malware.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

China-Linked UAT-7290 Targets Telecoms with Linux Malware and ORB Nodes

China-nexus threat actor UAT-7290 has been targeting telecommunications providers in South Asia and Southeastern Europe since at least 2022. The group conducts extensive reconnaissance before deploying malware families like RushDrop, DriveSwitch, SilentRaid, and Bulbature. UAT-7290 also establishes Operational Relay Box (ORB) nodes, which other China-nexus actors may use, indicating a dual role in espionage and initial access provision. The group uses a mix of open-source malware, custom tooling, and 1-day vulnerabilities in edge networking products. Recent activity shows overlaps with RedLeaves, ShadowPad, and RedFoxtrot, suggesting a broader China-linked operation.

Open in new tab

Bloody Wolf APT Expands Operations in Central Asia Using NetSupport RAT

The Bloody Wolf APT group has expanded its cyber campaign across Central Asia, targeting government entities in Kyrgyzstan and Uzbekistan. The group has shifted from traditional malware to using legitimate remote-access software, specifically NetSupport RAT, deployed via Java-based delivery methods. The campaign involves sophisticated social engineering tactics, including impersonating government ministries and using geofenced infrastructure to deliver malicious payloads. The group's activities have been ongoing since at least June 2025, with a notable increase in operations by October 2025. The infection chain involves downloading a JAR file that fetches additional components, installs NetSupport RAT, and adds persistence mechanisms. The group uses custom JAR generators to produce varied samples, reducing the likelihood of detection. The campaign has also targeted finance and IT sectors. The shift to legitimate remote-administration tools indicates an evolution in the group's tactics to evade detection and blend into normal IT activity.

Open in new tab

APT24 Utilizes BadAudio Malware in Multi-Year Espionage Campaign

APT24, a China-linked threat group, has been using previously undocumented BadAudio malware in a nearly three-year espionage campaign targeting Windows systems. The campaign, active since November 2022, employed various attack methods including spearphishing, supply-chain compromise, and watering hole attacks. The malware is heavily obfuscated and uses sophisticated techniques to evade detection and hinder analysis. From November 2022 to at least September 2025, APT24 compromised over 20 legitimate websites to inject malicious JavaScript code, targeting specific visitors. Starting July 2024, the group compromised a Taiwanese digital marketing company, injecting malicious JavaScript into widely used libraries, affecting over 1,000 domains. Additionally, APT24 launched spearphishing operations using emails impersonating animal rescue organizations and leveraging cloud services for malware distribution. The BadAudio malware collects system details, communicates with a hard-coded C2 server, and executes payloads in memory using DLL sideloading. Despite its prolonged use, the malware remained largely undetected, with only a few samples flagged by antivirus engines. APT24 has been active since at least 2008, targeting various sectors including government, healthcare, construction, and telecommunications. The group is closely related to the Earth Aughisky group, which has also deployed Taidoor and Specas malware.

Open in new tab

PlushDaemon Hijacks Software Updates in Supply-Chain Attacks

The China-linked threat actor PlushDaemon has been hijacking software update traffic using a new implant called EdgeStepper in cyberespionage operations since 2018. The group targets individuals and organizations in the U.S., China, Taiwan, Hong Kong, South Korea, New Zealand, and Cambodia, deploying custom malware like the SlowStepper backdoor. The attackers compromise routers via known vulnerabilities or weak passwords, install EdgeStepper to redirect update traffic, and deliver the LittleDaemon malware downloader. This leads to the deployment of the SlowStepper backdoor, which enables extensive system control and data theft. EdgeStepper is a Go-based network backdoor that redirects all DNS queries to a malicious hijacking node, facilitating adversary-in-the-middle (AitM) attacks. In May 2024, PlushDaemon targeted a South Korean VPN provider named IPany. The group uses an ELF file named bioset, internally called dns_cheat_v2, to forward DNS traffic to a malicious DNS node. They deploy two downloaders, LittleDaemon and DaemonLogistics, which deliver a backdoor toolkit for cyber espionage operations.

Open in new tab

Chinese State-Sponsored Group Exploits Windows Zero-Day in Espionage Campaign Against European Diplomats

A China-linked hacking group, UNC6384 (Mustang Panda), is exploiting a Windows zero-day vulnerability (CVE-2025-9491) to target European diplomats in Hungary, Belgium, Italy, the Netherlands, and Serbian government agencies. The campaign involves spearphishing emails with malicious LNK files to deploy the PlugX RAT and gain persistence on compromised systems. The attacks have broadened in scope to include diplomatic entities from Italy and the Netherlands. The zero-day vulnerability allows for remote code execution on targeted Windows systems, enabling the group to monitor diplomatic communications and steal sensitive data. Microsoft has not yet released a patch for this vulnerability, which has been heavily exploited by multiple state-sponsored groups and cybercrime gangs since March 2025. Microsoft has silently mitigated the vulnerability by changing LNK files in the November updates to display all characters in the Target field, not just the first 260. ACROS Security has also released an unofficial patch to limit shortcut target strings to 260 characters and warn users about potential dangers.

Open in new tab