China-linked cyberespionage group UNC6384 targeted diplomats by hijacking web traffic to redirect it to a website that delivered malware, according to Google's Threat Intelligence Group (GTIG). This sophisticated campaign demonstrates the continued evolution of UNC6384's operational capabilities and highlights the sophistication of PRC-nexus threat actors.

In March 2025, GTIG identified a highly sophisticated cyber espionage campaign by UNC6384, targeting diplomats in Southeast Asia and globally. The attack hijacked web traffic via captive portal redirects, delivering a signed downloader (STATICPLUGIN) that installed the PlugX backdoor (SOGU.SEC). The attackers employed an advanced adversary-in-the-middle (AitM) technique to deliver malware disguised as an Adobe Plugin update.

The attackers tricked targets into downloading malware disguised as a “plugin update” via a fake software update site using HTTPS and a valid TLS certificate. The page appeared legitimate, displaying a blank landing page with an “Install Missing Plugins…” button. When clicked, JavaScript triggered the download of “AdobePlugins.exe” while showing a background image with execution instructions. The fake installer ran, but the SOGU.SEC backdoor was already active, bypassing Windows security.

“A captive portal is a network setup that directs users to a specific webpage, usually a login or splash page, before granting internet access,” states GTIG’s report. “While ‘gstatic.com’ is a legitimate domain, our investigation uncovered redirect chains from this domain leading to the threat actor’s landing webpage and subsequent malware delivery, indicating an AitM attack.”

Upon delivery to a Windows system, the malware launched a multi-stage chain designed to evade defenses and remain stealthy. The first stage, STATICPLUGIN, was a digitally signed downloader disguised as a legitimate installer. It retrieved an MSI package, which installed CANONSTAGER, a launcher that side-loaded and executed the encrypted SOGU.SEC backdoor entirely in memory.

CANONSTAGER employed advanced evasion techniques, including API hashing, Thread Local Storage (TLS) for storing function addresses, and indirect code execution via Windows message queues and hidden window procedures. This allowed SOGU.SEC to decrypt and run without leaving artifacts on the disk, bypassing security tools while maintaining communication with the attacker’s command-and-control server.

“This campaign is a clear example of the continued evolution of UNC6384’s operational capabilities and highlights the sophistication of PRC-nexus threat actors,” concludes the report. “The use of advanced techniques such as AitM combined with valid code signing and layered social engineering demonstrates this threat actor’s capabilities.”

This activity follows a broader trend GTIG has observed of PRC-nexus threat actors increasingly employing stealthy tactics to avoid detection.

Google published indicators of compromise (IoCs) and YARA rules for detecting malware employed in the attacks. These resources can help organizations identify and mitigate the risks associated with UNC6384’s activities.