Campaign highlights the sophistication of PRC-nexus threat actors, Google researchers claim.
A state-backed multi-stage cyberespionage campaign targeted global organisations and diplomats in Southeast Asia.
Operated since March by the UNC6384 threat group, which is associated with the Chinese advanced persistent threat operation Mustang Panda, it utilised a web traffic-hijacking captive portal to facilitate an adversary-in-the-middle attack luring targets into downloading a bogus Adobe plugin update.
This updated, dubbed "STATICPLUGIN", retrieved an MSI package while side-loading CANONSTAGER to launch the SOGU.SEC malware, according to an analysis from the Google Threat Intelligence Group.
"This campaign is a clear example of the continued evolution of UNC6384's operational capabilities and highlights the sophistication of PRC-nexus threat actors," GTIG researcher Patrick Whitsell told
The Hacker News.
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.
