The Chinese and Nexus threat actor, known as UNC6384, is promoting Beijing’s strategic interests due to a series of attacks targeting diplomats from other entities across Northeast Asia and around the world.
“This multi-stage attack chain leverages sophisticated social engineering, including valid code signing certificates, man-in-the-middle (AITM) attacks, and indirect execution techniques to avoid detection,” said Patrick Whitsell, researcher at Google Threat Intelligence Group (GTIG).
UNC6384 is evaluated to share tactical and touring duplications. A known Chinese hacking group called the Mustang Panda is also tracked as Basin, Camaro Dragon, Camaro Dragon, Earth Preta, Honey Mite, Red Delta, Red Rich, the imposing Taurus, Tem, and Trutymun.
The campaign detected by GTIG in March 2025 features captive portal redirection to hijack web traffic and deliver digitally signed downloaders called StaticPlugins. The downloader then paves the way for in-memory deployment of a Plugx (aka Korplug or sogu) variant called Sogu.sec.
Plugx is a backdoor that supports exfiltrate files, log keystrokes, launching remote command shells, and commands to upload/download files, and can extend functionality with additional plugins. Implants that are often launched via DLL sideloads are spread through USB flash drives, targeted phishing emails containing malicious attachments or links, or through downloads of compromised software.
Malware has been around since at least 2008 and is widely used by Chinese hacking groups. Shadowpad is considered to be the successor to Plugx.
The UNC6384 attack chain is fairly simple in that mid-term enemy (AITM) and social engineering tactics are used to provide Plugx malware.
The target web browser will test AITM if your internet connection is behind a captive portal.[.]com “StaticPlugin Gets MSI packages from the same website CanonStager is DLL sideloaded and deploys SOGU.SEC backdoor to memory
Captive Portal Hijack is used to deliver malware that pretends to update Adobe plugins to target entities. In Chrome browsers, the captive portal feature is achieved by requesting a hard-coded URL (www.gstatic[.]com/generate_204″) redirects users to the Wi-Fi login page.
“gstatic[.]com” is a legitimate Google domain used to store JavaScript code, images and stylesheets as a way to improve performance. Google said it is likely that threat actors are running AITM attacks to mimic the redirection chain from captive portal pages to threat actor landing web pages.
Although ATMs are evaluated as being driven by the breaches of edge devices on the target network, the attack vector remains unknown at this stage.
“After being redirected, the threat actor will try to deceive the target and make them believe that a software update is necessary, and will try to download malware disguised as a ‘plugin update’,” GTIG said. “The landing webpage is similar to a legitimate software update site and uses a valid TLS certificate and an HTTPS connection issued by Let’s Encrypt.”
The final result is a download of an executable file named “adobeplugins.exe” (also known as staticplugin). It triggers the sogu.sec payload in the background using a DLL called the CanonStager (“cnmpaui.dll”).
The StaticPlugin Downloader is signed by Chengdu Nuoxin Times Technology Co., Ltd, along with a valid certificate issued by GlobalSign. More than two dozen malware samples signed by Chengdu have been used by activity clusters in China and NEXUS, with the earliest artifacts dating back at least to January 2023. It is not clear how these certificates are obtained by subscribers.
“This campaign is a clear example of the continued evolution of UNC6384’s operational capabilities, highlighting the refinement of PRC-Nexus threat actors,” says Whitsell. “The use of advanced techniques such as AITM effective code signing and layered social engineering demonstrates the capabilities of this threat actor.”
Source link
