Executive Summary
In March 2025, Google’s Threat Intelligence Group (GTIG) documented a complex espionage operation attributed to the PRC-nexus actor UNC6384, overlapping historically with tradecraft seen in TEMP.Hex / Mustang Panda. The campaign hijacks captive-portal flows to redirect victims to a fake “Adobe plugin update” site, delivering a signed downloader (STATICPLUGIN) that ultimately DLL-sideloads CANONSTAGER and deploys SOGU.SEC (PlugX) in memory over encrypted HTTPS C2. Targets included diplomats in Southeast Asia.
MITRE ATT&CK Mapping
- Initial Access: Adversary-in-the-Middle (AitM) via captive-portal hijack —
T1557; Drive-by Compromise —T1189. - Execution: User Execution (fake plugin update) —
T1204.002; Signed Binary Proxy Execution / DLL sideload —T1218.011. - Defense Evasion: Subvert Trust Controls (code signing) —
T1553.002; Obfuscated/Encrypted files —T1027; In-memory/reflective loading —T1620. - Command & Control: Web protocols (HTTPS) —
T1071.001; Encrypted channel —T1573.
Campaign Flow (March 2025)
The UNC6384 intrusion chain layers infrastructure hijacks, signed loaders, DLL sideloading, and memory-only payloads to minimize detection opportunities.
1) Initial Redirect – Captive Portal Hijack (T1557, T1189)
- Chrome’s captive-portal check to
http://www.gstatic.com/generate_204is intercepted; traffic is AitM-redirected to attacker-controlled web content. - Likely achieved through compromise of edge infrastructure.
2) Fake Plugin Delivery – User Execution (T1204.002)
- Victims see a legitimate-looking “Adobe plugin update” page served over valid Let’s Encrypt TLS to appear authentic.
- Clicking the prompt retrieves a signed first-stage executable tracked as STATICPLUGIN.
3) Stage-1 Loader – STATICPLUGIN (T1553.002, T1106)
- Code-signed by Chengdu Nuoxin Times Technology Co., Ltd. (GlobalSign), abused to gain trust and bypass controls.
- Uses Windows installer/COM flow to fetch an MSI disguised as
20250509.bmp, then triggers the next stage via indirect API execution.
4) Stage-2 Sideload – CANONSTAGER (T1218.011)
- MSI drops a Canon IJ Printer executable & DLL pair; DLL sideload (
cnmpaui.dll) injects attacker code under a legitimate host process.
5) Final Payload – PlugX / SOGU.SEC (T1027, T1620)
- The payload is decrypted and run entirely in memory (reflective load), avoiding file-based IOC exposure.
6) C2 & Persistence (T1071.001, T1573)
- HTTPS beacons to attacker infrastructure.
- Persistence via registry artifacts and mutexes with modular tasking typical of PlugX families.
IOC Highlights (selected)
Domains / URLs
mediareleaseupdates[.]com
https[:]//mediareleaseupdates[.]com/AdobePlugins.html
https[:]//mediareleaseupdates[.]com/style3.js
https[:]//mediareleaseupdates[.]com/AdobePlugins.exe
https[:]//mediareleaseupdates[.]com/20250509.bmp
Example hashes (SHA-256)
AdobePlugins.exe 65c42a7e...027ec124
20250509.bmp (MSI) 32998665...f3349916
cnmpaui.dll e787f64a...b1e4011
TLS Certificate
CN=mediareleaseupdates[.]com; issued by Let’s Encrypt
Comparison with Other Write-ups
| Source | What it adds |
|---|---|
| Google GTIG | Full intrusion chain, IOCs, YARA signatures, infection flow diagrams. |
| SecurityWeek (PlugX takedown) | Law-enforcement remediation context: C2 access and self-delete at scale. |
Operation Self-Delete: When Law Enforcement Flips the Script
In January 2025, U.S. and French authorities (with Sekoia.io) neutralized a Mustang Panda PlugX variant by obtaining court-approved access to a C2 server and pushing the malware’s built-in self-delete command to more than 4,200 infected U.S. systems. The routine removed files, killed processes, and cleaned persistence keys, demonstrating how defender access to adversary infrastructure can enable direct remediation at scale.
- C2 intel is power: If you own the C2, you can dictate the malware’s behaviour (including self-removal).
- Know the code: “Self-delete” features can be strategically leveraged in takedowns.
- Lawful authority: Multi-month warrants enabled a phased, measured cleanup with ISP notifications.
Defender Takeaways
- Watch captive-portal flows: Unusual redirects from
gstatic.comshould trigger alerts. - Don’t trust the seal: Validate signed binaries beyond “is signed?”
- Hunt for sideload paths: Canon IJ Printer & similar vendor executables are frequent sideload targets.
- Memory-first detection: Telemetry to surface reflective loads and API-hash obfuscation.
- Plan for disruption: Track C2; where lawful, coordinate response to compel implants to remove themselves.
Conclusion
UNC6384’s “deception in depth” shows the continued maturation of PRC-nexus espionage tradecraft: infrastructure hijacks, trust subversion via code signing, and memory-resident payloads. Yet the PlugX self-delete operation underlines that defenders aren’t just reacting—given the right intelligence and authorities, they can co-opt adversary capabilities for large-scale remediation. In the immortal words of Ron Burgundy: “Stay classy, UNC6384.”