TL;DR
Google Threat Intelligence Group linked a multi-stage espionage campaign to PRC-nexus actor UNC6384 that targeted diplomats in Southeast Asia and other global entities. The attackers used a captive-portal redirect and social engineering to deliver a digitally signed downloader (STATICPLUGIN) that ultimately deployed the SOGU.SEC/PlugX backdoor.
What happened
In March 2025, Google Threat Intelligence Group (GTIG) identified a layered attack campaign attributed to UNC6384 that targeted diplomats and other organizations. The adversary exploited the browser captive-portal mechanism used to detect network splash pages, redirecting victims to a malicious landing site. That site posed as a plugin-update page over HTTPS (with a valid Let’s Encrypt certificate) and triggered an automatic download of a signed executable named AdobePlugins.exe. The downloader, tracked as STATICPLUGIN and signed with a certificate issued to Chengdu Nuoxin Times Technology Co., Ltd., fetched an MSI package disguised as a BMP file. The MSI installed multiple components, including a side-loaded DLL tracked as CANONSTAGER and an RC4-encrypted SOGU.SEC payload (also known as PlugX). GTIG assessed the redirect was enabled by an adversary-in-the-middle (AitM) capability facilitated through compromised edge devices, although the initial compromise of those devices was not observed. Google issued notifications to affected Gmail and Workspace users and added the identified indicators to Safe Browsing.
Why it matters
- Targets included diplomats, indicating the campaign supported intelligence collection aligned with PRC strategic interests (as assessed by GTIG).
- Use of captive-portal redirects and AitM tactics allows attackers to deliver malware without traditional phishing emails, expanding the threat surface.
- Valid TLS certificates and legitimate code signing make malicious files harder for users and automated defenses to distinguish from benign software.
- DLL side-loading and in-memory deployment increase stealth and complicate host-based detection and forensic analysis.
Key facts
- GTIG detected the campaign in March 2025 and attributes it to UNC6384, a PRC-nexus threat actor.
- Targets included diplomats in Southeast Asia and additional global entities.
- Attack chain: captive-portal check -> AitM redirect -> STATICPLUGIN downloader -> MSI retrieved (disguised as BMP) -> CANONSTAGER DLL side-load -> SOGU.SEC (PlugX) in-memory backdoor.
- Chrome’s captive-portal check to http://www.gstatic.com/generate_204 was abused in redirect chains leading to the attacker-controlled site.
- Malicious landing site used HTTPS with a Let’s Encrypt certificate for mediareleaseupdates[.]com.
- Static downloader (AdobePlugins.exe) was digitally signed by Chengdu Nuoxin Times Technology Co., Ltd.; the signature was issued by GlobalSign and the binary was signed on May 9, 2025.
- The MSI delivered three files including cnmpaui.exe (4ed76fa68ef9e1a7…), cnmpaui.dll (e787f64af048b9cb…), and cnmplog.dat (cc4db3d8049043fa…), the latter containing RC4-encrypted SOGU.SEC.
- GTIG did not observe how the edge devices used for the AitM were initially compromised.
- Google sent government-backed attacker alerts to affected Gmail and Workspace users and added identified domains, URLs, and file hashes to Safe Browsing; SecOps was also updated with relevant intelligence.
What to watch next
- Whether UNC6384 or related actors re-use or re-obtain valid code signing certificates — not confirmed in the source.
- Further evidence revealing how the edge devices used in the AitM were initially compromised — not confirmed in the source.
- Any expansion of targeting beyond the identified diplomat and global entity set — not confirmed in the source.
Quick glossary
- Captive portal: A network feature that redirects users to a specific webpage (often for login or terms acceptance) before granting full internet access.
- Adversary-in-the-middle (AitM): An attack technique where an adversary intercepts or alters traffic between a user and a legitimate service, enabling redirects or payload delivery.
- Code signing certificate: A digital certificate used to cryptographically sign software, indicating origin and integrity to users and some security tools.
- DLL side-loading: A technique where a malicious DLL is placed in a location searched by an application so the legitimate executable loads the attacker-controlled code.
- Backdoor (SOGU.SEC / PlugX): A persistent remote-access tool that allows an attacker to execute commands and exfiltrate data; SOGU.SEC is tracked as PlugX in this report.
Reader FAQ
Who does Google attribute this campaign to?
GTIG attributes the campaign to UNC6384, described as a PRC-nexus threat actor and assesses it likely supported PRC strategic interests.
How did the attackers deliver the malware?
They used a captive-portal redirect to an HTTPS landing page that pushed a signed downloader (STATICPLUGIN), which retrieved an MSI that side-loaded a DLL and deployed SOGU.SEC/PlugX.
Were affected users notified and protected?
Google sent government-backed attacker alerts to impacted Gmail and Workspace users, added indicators to Safe Browsing, and updated SecOps with related intelligence.
Do we know how the edge devices were compromised?
GTIG assessed the AitM was facilitated through compromised edge devices but did not observe the method used to compromise those devices.
Written by: Patrick Whitsell In March 2025, Google Threat Intelligence Group (GTIG) identified a complex, multifaceted campaign attributed to the PRC-nexus threat actor UNC6384. The campaign targeted diplomats in Southeast…
Sources
- Deception in Depth: PRC-Nexus Espionage Campaign Hijacks Web Traffic to Target Diplomats
- UNC6384's 2025 PlugX Campaign Explained
- UNC6384 Weaponizes ZDI-CAN-25373 Vulnerability to …
- UNC6384 Exploits Zero-Day to Target European Diplomats
Related posts
- Mass Data Theft Hits Salesforce Instances Through Salesloft Drift Integration
- ViewState Deserialization Zero-Day in Sitecore Products — CVE-2025-53690
- BRICKSTORM Backdoor Targeting Tech and Legal Sectors, Google and Mandiant Warn