Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

APT

China linked UNC6384 targeted diplomats by hijacking web traffic

The China-linked APT group UNC6384 targeted diplomats by hijacking web traffic to redirect it to a website that delivered malware. China-linked cyberespionage group UNC6384 targeted diplomats by hijacking web traffic to redirect to a website used to deliver malware, Google’s Threat Intelligence Group (GTIG) warns. Cyberspies hijacked a network’s captive portal using an advanced adversary-in-the-middle […]

Silk Typhoon

The China-linked APT group UNC6384 targeted diplomats by hijacking web traffic to redirect it to a website that delivered malware.

China-linked cyberespionage group UNC6384 targeted diplomats by hijacking web traffic to redirect to a website used to deliver malware, Google’s Threat Intelligence Group (GTIG) warns.

Cyberspies hijacked a network’s captive portal using an advanced adversary-in-the-middle (AitM) technique to deliver malware. GTIG links the group, UNC6384, to the Chinese threat actor TEMP.Hex, also known as Mustang Panda.

In March 2025, Google identified a sophisticated cyber espionage campaign by UNC6384, targeting diplomats in Southeast Asia and globally. The attack hijacked web traffic via captive portal redirects, delivering a signed downloader (STATICPLUGIN) that installed the PlugX backdoor (SOGU.SEC).

GTIG found that attackers hijacked captive portals to deliver malware disguised as an Adobe Plugin update.

The attackers trick targets into downloading malware disguised as a “plugin update” via a fake software update site using HTTPS and a valid TLS certificate. The page appears legitimate, displaying a blank landing page with an “Install Missing Plugins…” button. When clicked, JavaScript triggers the download of “AdobePlugins.exe” while showing a background image with execution instructions. The fake installer runs, but the SOGU.SEC backdoor is already active, bypassing Windows security.

Legitimate browser redirects (via gstatic.com) were abused in an adversary-in-the-middle (AitM) attack, likely through compromised edge devices, though the initial compromise method remains unknown.

“A captive portal is a network setup that directs users to a specific webpage, usually a login or splash page, before granting internet access. This functionality is intentionally built into all web browsers. The Chrome browser performs an HTTP request to a hardcoded URL (“http://www.gstatic.com/generate_204”) to enable this redirect mechanism.” states the GTIG’s report.

“While “gstatic.com” is a legitimate domain, our investigation uncovered redirect chains from this domain leading to the threat actor’s landing webpage and subsequent malware delivery, indicating an AitM attack. “

Upon delivery to a Windows system, the malware launches a multi-stage chain designed to evade defenses and remain stealthy. The first stage, STATICPLUGIN, is a digitally signed downloader disguised as a legitimate installer. It retrieves an MSI package, which installs CANONSTAGER, a launcher that side-loads and executes the encrypted SOGU.SEC backdoor entirely in memory.

CANONSTAGER employs advanced evasion techniques, including API hashing, Thread Local Storage (TLS) for storing function addresses, and indirect code execution via Windows message queues and hidden window procedures. This allows SOGU.SEC to decrypt and run without leaving artifacts on the disk, bypassing security tools while maintaining communication with the attacker’s command-and-control server. The malware leverages legitimate Windows features and digitally signed binaries to appear credible and avoid detection.

“This campaign is a clear example of the continued evolution of UNC6384’s operational capabilities and highlights the sophistication of PRC-nexus threat actors. The use of advanced techniques such as AitM combined with valid code signing and layered social engineering demonstrates this threat actor’s capabilities.” concludes the report. “This activity follows a broader trend GTIG has observed of PRC-nexus threat actors increasingly employing stealthy tactics to avoid detection.”

Google published indicators of compromise (IoCs) and YARA rules for detecting malware employed in the attacks.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, UNC6384)