UNC6384: The Evolving Threat of Chinese Cyber Espionage

A New Player in Cyber Threats

Recent developments in cybersecurity have identified a China-linked group known as UNC6384, which has been orchestrating a series of sophisticated attacks targeting diplomats in Southeast Asia and various international entities. These actions appear to be aimed at furthering China’s geopolitical interests.

Advanced Techniques in Play

According to Patrick Whitsell from Google’s Threat Intelligence Group, this multi-layered attack chain employs advanced social engineering tactics and intricate methodologies. The group utilizes valid code signing certificates and executes an adversary-in-the-middle (AitM) strategy, along with indirect methods to avoid detection. Such sophistication highlights a growing trend in cyber threats where attackers increasingly leverage legitimate tools to launch their assaults.

Connections to Known Threat Actors

UNC6384 has shown tactical similarities and overlaps in tools with the established Chinese hacking group Mustang Panda, which is recognized under various aliases including Bronze President and TEMP.Hex. The capabilities of both groups reflect a coordinated effort in cyber espionage, utilizing a common set of tools and techniques that underline their deep-rooted connections.

Unfolding the Attack Chain

The campaign detected in March 2025 involved a captive portal redirect used to hijack web traffic, delivering a malicious downloader named STATICPLUGIN. This downloader is instrumental as it facilitates the subsequent deployment of a PlugX variant known as SOGU.SEC directly into the memory of the target system.

Understanding PlugX Malware

PlugX serves as a versatile backdoor, providing attackers with extensive functionality, including:

• File exfiltration
• Keystroke logging
• Remote command execution
• File uploads and downloads

This malware variant, which has been around since 2008, has become a popular tool among various Chinese hacking entities. It’s believed that ShadowPad may be its successor, further indicating the ongoing evolution of these cyber threats.

Step-by-Step Attack Execution

The attack method employed by UNC6384 is notably straightforward but cleverly executed:

1. The target’s web browser checks for a connection via a captive portal.
2. Once identified, an AitM attack redirects the user to a site controlled by the attackers.
3. STATICPLUGIN is downloaded from a site masquerading as a legitimate domain.
4. This downloader retrieves an MSI package from the same site.
5. The CANONSTAGER component is DLL side-loaded, paving the way for the in-memory installation of the SOGU.SEC backdoor.

The Role of Captive Portals

The use of captive portals to deliver malware is particularly alarming. For Chrome users, this process begins with a request to a hard-coded URL, which typically should lead to a Wi-Fi login page. However, attackers exploit this process to redirect users to a malicious landing page.

Google has indicated that the AitM attack is likely facilitated through compromised devices within the target networks, although the specific vector remains unidentified.

Deceptive Tactics for Malware Delivery

Upon successful redirection, the attackers employ deception to convince the target of an urgent software update. The fraudulent landing page closely resembles legitimate software update sites and employs a secure HTTPS connection, complete with a valid TLS certificate issued by Let’s Encrypt.

Ultimately, the unsuspecting user downloads an executable labeled AdobePlugins.exe (the malicious STATICPLUGIN) that, once executed, invokes the SOGU.SEC payload in the background using CANONSTAGER, sideloading via legitimate software like the Canon IJ Printer Assistant Tool.

Valid Certificates from Chengdu

Interestingly, the STATICPLUGIN downloader is signed by Chengdu Nuoxin Times Technology Co., Ltd, complete with a valid GlobalSign certificate. Over two dozen malware samples linked to this entity have been used in various Chinese cyber activities since January 2023, raising concerns about the acquisition and legitimacy of these certificates.

Conclusion: A Growing Cyber Threat Landscape

Whitsell emphasizes that this campaign illustrates the evolutionary nature of UNC6384’s operational capabilities, showcasing the complexity and sophistication of state-sponsored cyber threats. The combination of AitM techniques with valid code signing and layered social engineering tactics marks a notable advancement in the operational strategies of Chinese threat actors, underscoring the need for heightened vigilance and adaptive cybersecurity measures.