UNC6384 Uses Captive Portal Hijacks and Valid Certificates for PlugX Deployment Targeting Diplomats

August 25, 2025
Malware / Cyber Espionage

A threat actor associated with China, known as UNC6384, has been linked to a series of attacks aimed at diplomats in Southeast Asia and various global entities to further Beijing’s strategic goals. “This complex attack chain employs sophisticated social engineering tactics, including the use of legitimate code signing certificates, adversary-in-the-middle (AitM) techniques, and indirect execution methods to bypass detection,” noted Patrick Whitsell from Google’s Threat Intelligence Group (GTIG). UNC6384 is believed to share resources and tactics with the well-known Chinese hacking group Mustang Panda, also identified by multiple aliases such as BASIN, Bronze President, and more. The campaign, identified by GTIG in March 2025, features a captive portal redirect to hijack web traffic and distribute a digitally signed downloader known as STATICPLUGIN. This downloader subsequently facilitates…

UNC6384 Employs PlugX via Captive Portal Hijacks and Credential Misuse Targeting Diplomats

On August 25, 2025, Google Threat Intelligence Group (GTIG) uncovered a sophisticated cyber-espionage campaign attributed to a threat actor known as UNC6384. This group is believed to be aligned with Chinese interests and has been observed targeting diplomats in Southeast Asia and other regions worldwide. The purpose of these attacks is thought to be the advancement of China’s geopolitical goals.

The modus operandi of this multi-stage assault highlights a sophisticated use of social engineering tactics, notably the deployment of legitimate code-signing certificates. This approach facilitates a type of adversary-in-the-middle (AitM) attack, which complicates detection efforts considerably. According to GTIG researcher Patrick Whitsell, the attack chain employs indirect execution techniques that further obfuscate the attackers’ actions.

Notably, UNC6384 exhibits considerable overlap in tactics and tools with the notorious Chinese hacking faction Mustang Panda. This group is also known by various aliases, including BASIN, Bronze President, and RedDelta, reflecting a suite of activities and behaviors that have been the subject of intelligence scrutiny over the years. The linkage between UNC6384 and Mustang Panda raises concerns about the potential for resource sharing and operational collaboration between these entities.

The campaign detected by GTIG in March 2025 stands out for its innovative use of a captive portal redirect. By hijacking web traffic in this manner, the attackers facilitated the delivery of a digitally signed downloader identified as STATICPLUGIN. This downloader then serves as a precursor to the deployment of additional malicious payloads, posing significant risks for the targeted environments.

In terms of adversary tactics, the attack appears to engage several frameworks outlined in the MITRE ATT&CK Matrix. Initial access may have been gained through phishing or fraudulent redirects, capitalizing on trust to exploit unsuspecting users. Persistence could have been established via the legitimate code-signing certificates, rendering the malicious software harder to detect and remove. Moreover, privilege escalation techniques might have been employed post-infection, allowing the attackers to maneuver further into the targeted systems.

The ramifications of such attacks extend beyond the immediate compromise, potentially impacting diplomatic relations and sensitive information security. As cyber threats evolve, the sophistication of these tactics underscores the necessity for robust cybersecurity measures among businesses, especially those engaged in sensitive diplomatic or international activities.

This revelation serves as a reminder for business owners and cybersecurity professionals alike to remain vigilant against the ever-changing landscape of cyber threats. Continuous education, enhanced security protocols, and monitoring for unusual activities can serve as vital components in safeguarding against potential incursions stemming from entities like UNC6384.

Source link

Related Posts

ShadowCaptcha Targets WordPress Sites to Distribute Ransomware, Info Stealers, and Crypto Miners

August 26, 2025
Ransomware / Cryptojacking

A significant new campaign has been uncovered, impacting over 100 compromised WordPress sites. This initiative redirects visitors to fake CAPTCHA verification pages employing the ClickFix social engineering technique to disseminate information stealers, ransomware, and cryptocurrency miners. Dubbed ShadowCaptcha by the Israel National Digital Agency, this widespread cybercrime operation, first detected in August 2025, utilizes a combination of social engineering, living-off-the-land binaries (LOLBins), and multi-stage payload delivery to establish and sustain access to targeted systems. Researchers Shimi Cohen, Adi Pick, Idan Beit Yosef, Hila David, and Yaniv Goldman explain, “The ultimate aims of ShadowCaptcha include harvesting sensitive information through credential theft and browser data exfiltration, deploying cryptocurrency miners for illicit gains, and even initiating ransomware outbreaks.” The attacks commence when unsuspecting users visit a compromised site…

MixShell Malware Exploits Contact Forms to Target U.S. Supply Chain Manufacturers

Date: Aug 26, 2025
Categories: Enterprise Security / Artificial Intelligence

Cybersecurity experts are highlighting a complex social engineering initiative aimed at crucial supply chain manufacturing firms, deploying in-memory malware known as MixShell. This campaign, dubbed “ZipLine” by Check Point Research, circumvents traditional phishing tactics by initiating contact through companies’ public “Contact Us” forms. Attackers deceive employees into engaging in what appears to be a legitimate communication. According to Check Point’s statement to The Hacker News, these interactions can span several weeks, often involving fabricated non-disclosure agreements before the attackers deliver a weaponized ZIP file containing the stealthy MixShell malware. The attacks have impacted various organizations across multiple sectors, with a particular focus on U.S. manufacturers in industrial fields such as machinery, metalworking, component production, and engine manufacturing.

Citrix Addresses Three NetScaler Vulnerabilities, Alerts on Active Exploitation of CVE-2025-7775

Date: August 26, 2025
Focus: Vulnerability / Remote Code Execution

Citrix has issued patches for three security vulnerabilities in NetScaler ADC and NetScaler Gateway, including one that is currently being actively exploited. The vulnerabilities are as follows:

  • CVE-2025-7775 (CVSS score: 9.2): Memory overflow vulnerability resulting in Remote Code Execution and/or Denial-of-Service.
  • CVE-2025-7776 (CVSS score: 8.8): Memory overflow issue causing unpredictable behavior and potential Denial-of-Service.
  • CVE-2025-8424 (CVSS score: 8.7): Improper access control on the NetScaler Management Interface.

Citrix noted that there have been observed exploits of CVE-2025-7775 on unmitigated devices but did not provide further specifics. However, certain conditions must be met for the vulnerabilities to be exploited.

For CVE-2025-7775, the NetScaler must be set up as a Gateway (including VPN virtual server, ICA Proxy, CVPN, or RDP Proxy) or as an AAA virtual server. Affected versions include NetScaler ADC and NetScaler Gateway 13.1, 14.1…

Salesloft OAuth Breach Through Drift AI Chat Agent Compromises Salesforce Customer Data

August 27, 2025
Cloud Security / Threat Intelligence

A significant data breach has targeted the sales automation platform Salesloft, allowing hackers to steal OAuth and refresh tokens linked to the Drift AI chat agent. This opportunistic attack has been connected to a threat group identified by Google Threat Intelligence Group (GTIG) and Mandiant, known as UNC6395. GTIG has reported over 700 potentially affected organizations. According to researchers Austin Larsen, Matt Lin, Tyler McLellan, and Omar ElAhdan, the attacks began as early as August 8, 2025, and continued until at least August 18, 2025, focusing on Salesforce customer accounts through the compromised Salesloft Drift application. The hackers have been seen exporting large volumes of data from various corporate Salesforce instances, likely in an effort to harvest credentials for further exploitation.