A China-linked threat actor, UNC6384, has executed sophisticated multi-stage attacks targeting diplomats and global entities by using social engineering, valid code signing, and AitM attacks. The campaign involves hijacking web traffic via captive portals to deliver malware like STATICPLUGIN and SOGU.SEC, demonstrating advanced tactics and tools associated with Chinese hacking groups. #UNC6384 #PlugX #MustangPanda #AitM #CyberEspionage
Keypoints
- UNC6384 is a China-nexus threat actor targeting international diplomats and entities.
- The attack uses social engineering, valid code signing, and adversary-in-the-middle techniques to evade detection.
- The campaign employs captive portal hijacking to trick targets into downloading malware disguised as legitimate updates.
- Malware such as STATICPLUGIN and SOGU.SEC are delivered in layered stages for remote access and data exfiltration.
- The campaign demonstrates the evolving sophistication of Chinese hacking groups and their operational capabilities.
Read More: https://thehackernews.com/2025/08/unc6384-deploys-plugx-via-captive.html