CyberHappenings logo
☰
🏠 Home πŸ“‚ Browse ℹ️ About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

UNC6384 Targets Diplomats with PlugX via Captive Portal Hijacks

First reported
Last updated
πŸ“° 2 unique sources, 2 articles

Summary

Hide β–²

UNC6384, a China-nexus threat actor, has been deploying PlugX malware to diplomats in Southeast Asia and other global entities. The campaign, detected in March 2025, uses captive portal hijacks, adversary-in-the-middle (AitM) attacks, and valid code signing certificates to evade detection. The PlugX variant, SOGU.SEC, is delivered via a digitally signed downloader called STATICPLUGIN. The malware supports commands for file exfiltration, keystroke logging, remote command shells, and file upload/downloads. The attack chain involves redirecting web traffic through a captive portal to a threat actor-controlled website, where the malware is downloaded. The malware is disguised as an Adobe Plugin update, using a legitimate-looking HTTPS connection with a valid TLS certificate. The campaign highlights the sophistication of PRC-nexus threat actors and their evolving operational capabilities. The campaign targeted approximately two dozen victims, primarily Southeast Asian diplomats, between March and July 2025. The malware used a blank landing page with a valid TLS/SSL certificate issued by Let's Encrypt to evade browser security warnings. The STATICPLUGIN downloader employed a valid code-signing certificate from Chengdu Nuoxin Times Technology Co. Ltd. The downloader dropped a launcher called CANONSTAGER, which used legitimate Windows features and API hashing to evade detection. The CANONSTAGER launcher introduced the SOGU.SEC variant of the PlugX backdoor.

Timeline

  1. 25.08.2025 21:11 πŸ“° 2 articles Β· ⏱ 22d ago

    UNC6384 Deploys PlugX via Captive Portal Hijacks and Valid Certificates

    UNC6384, a China-nexus threat actor, has been targeting diplomats in Southeast Asia and other global entities with PlugX malware. The campaign, detected in March 2025, uses captive portal hijacks, adversary-in-the-middle (AitM) attacks, and valid code signing certificates to evade detection. The PlugX variant, SOGU.SEC, is delivered via a digitally signed downloader called STATICPLUGIN. The malware supports commands for file exfiltration, keystroke logging, remote command shells, and file upload/downloads. The attack chain involves intercepting captive portal checks via compromised edge devices in the target's network. The malware is disguised as an Adobe Plugin update, using a legitimate-looking HTTPS connection with a valid TLS certificate. The campaign targeted approximately two dozen victims, primarily Southeast Asian diplomats, between March and July 2025.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

SlopAds Fraud Ring Exploits 224 Android Apps to Drive 2.3 Billion Daily Ad Bids

A fraudulent ad operation, SlopAds, has been identified, exploiting 224 Android apps to generate 2.3 billion ad bids daily. The apps, collectively downloaded 38 million times across 228 countries, use steganography and hidden WebViews to create fraudulent ad impressions and clicks. The operation was disrupted after Google removed the offending apps from the Play Store. The SlopAds campaign is notable for its sophisticated tactics, including conditional fraud execution and the use of AI-themed services for command and control. The fraudulent behavior is triggered only when apps are downloaded via ad clicks, making detection more challenging. The campaign's infrastructure includes multiple domains and a complex feedback loop designed to evade security researchers. The campaign's highest concentration of ad impressions originated from the United States (30%), followed by India (10%) and Brazil (7%).

Open in new tab

FileFix Attack Using Steganography to Deploy StealC Infostealer

A new FileFix social engineering campaign impersonates Meta account suspension warnings to trick users into installing the StealC infostealer malware. The attack uses steganography to hide malicious scripts and executables within a JPG image. The campaign targets various credentials, cryptocurrency wallets, and cloud services. The FileFix technique abuses the File Explorer address bar to execute PowerShell commands, bypassing traditional detection methods. The attack was discovered by Acronis and observed over a two-week period, with multiple variants using different payloads and domains. The StealC malware aims to steal sensitive information from infected devices, including browser credentials, messaging app data, and cryptocurrency wallets. The FileFix technique was created by red team researcher mr.d0x and has been previously used by the Interlock ransomware gang. The attack uses a multilingual phishing site to trick users into copying and pasting a malicious command into the File Explorer address bar. The campaign abuses Bitbucket repositories to host malicious components, leveraging trust in the platform to bypass detection. The FileFix campaign is the most widespread, customized, and sophisticated to date, targeting users in over 16 countries. The phishing site has been translated into at least 16 different languages. The attack chain involves a phishing email impersonating Facebook security, warning users of account suspension. The attack uses AI-generated images in the steganography process. The FileFix technique is more elegant and less suspicious than ClickFix, using File Explorer instead of the Run dialog. The FileFix attack offers a broader range of high-value targets due to its use of File Explorer. Security researcher Eliad Kimhy predicts an increase in FileFix attacks in the near future.

Open in new tab

Supply Chain Attack Targeting npm Registry Compromises 40 Packages

A supply chain attack targeting the npm registry has compromised over 187 packages maintained by multiple developers. The attack uses a malicious script (bundle.js) to steal credentials from developer machines. The compromised packages include various npm modules used in different projects. The attack is capable of targeting both Windows and Linux systems. The malicious script scans for secrets using TruffleHog's credential scanner and transmits them to an external server controlled by the attackers. Developers are advised to audit their environments and rotate credentials if the affected packages are present.

Open in new tab

Active exploitation of CVE-2025-5086 in DELMIA Apriso

CVE-2025-5086, a critical deserialization flaw in Dassault Systèmes DELMIA Apriso Manufacturing Operations Management (MOM) software, is being actively exploited. The vulnerability, with a CVSS score of 9.0, affects versions from Release 2020 through Release 2025. Exploitation attempts have been observed, targeting the /apriso/WebServices/FlexNetOperationsService.svc/Invoke endpoint with a Base64-encoded payload. The payload decodes to a GZIP-compressed Windows executable that deploys a malicious program designed to spy on user activities. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, advising Federal Civilian Executive Branch (FCEB) agencies to apply updates by October 2, 2025. The malware, identified as Trojan.MSIL.Zapchast.gen, captures keyboard input, takes screenshots, and gathers information about active applications. This information is then sent to the attacker via various means, including email, FTP, and HTTP. The exploit involves sending a malicious SOAP request to vulnerable endpoints. The malicious requests were observed originating from the IP 156.244.33[.]162.

Open in new tab

Resurfaced ChillyHell macOS Backdoor Discovered

A new version of the ChillyHell modular backdoor malware targeting macOS has been discovered. The malware, first seen in 2022, was used in attacks against Ukrainian officials and has now resurfaced with updated capabilities. ChillyHell provides remote access, payload delivery, and password brute-forcing. The malware was notarized by Apple in 2021 and has been publicly hosted on Dropbox since then. The malware disguises itself as an executable applet and deploys as a persistent backdoor, capable of retrieving sensitive data and evading detection. It employs multiple persistence mechanisms and can communicate over different protocols. It also features timestamping to cover its tracks. Apple has revoked the notarization of the developer certificates associated with the malware after being notified. ChillyHell is written in C++ and targets Intel architectures. It is attributed to an uncategorized threat cluster dubbed UNC4487, which has been active since at least October 2022. UNC4487 is suspected to be an espionage actor targeting Ukrainian government entities.

Open in new tab