UNC6384 Deploys PlugX Malware Through Captive Portal Hijacking and Utilizes Valid Certificates to Target Diplomats

ByAdmin

A China-nexus threat actor known as UNC6384 has been linked to a series of attacks aimed at diplomats in Southeast Asia and various global entities to further Beijing’s strategic interests. This multi-stage attack chain employs sophisticated social engineering techniques, including valid code signing certificates, an Adversary-in-the-Middle (AitM) attack, and indirect execution methods to avoid detection. Google Threat Intelligence Group (GTIG) researcher Patrick Whitsell noted that UNC6384 shares tactical and tooling similarities with the Chinese hacking group Mustang Panda, which is also referred to by several other names, including BASIN, Bronze President, and RedDelta. The campaign, identified by GTIG in March 2025, is marked by the use of a captive portal redirect to hijack web traffic and deliver a digitally signed downloader called STATICPLUGIN.

The STATICPLUGIN downloader facilitates the in-memory deployment of a PlugX variant known as SOGU.SEC. PlugX is a backdoor that allows for file exfiltration, keystroke logging, remote command shell access, and file uploads/downloads, with the ability to extend its functionality through additional plugins. This malware has been in existence since at least 2008 and is commonly utilised by Chinese hacking groups, with ShadowPad believed to be its successor. The attack chain employed by UNC6384 is relatively straightforward, using AitM and social engineering tactics to deliver the PlugX malware. The target’s web browser checks for a captive portal, and the AitM redirects the browser to a threat actor-controlled website, from which STATICPLUGIN is downloaded. The malware masquerades as an Adobe Plugin update, exploiting the captive portal functionality to deceive users into downloading malicious software. 

Categories: Cybersecurity Threats, Advanced Persistent Threats, Social Engineering Techniques 

Tags: China, UNC6384, Cybersecurity, Social Engineering, AitM Attack, PlugX, Malware, Captive Portal, Threat Actor, Exfiltration 

Leave a Reply

Your email address will not be published. Required fields are marked *