Particle.news
Download on the App Store
9 ARTICLES
·
6h ago

Google Links Captive-Portal Hijacks Targeting Diplomats to China-Aligned UNC6384

Google issued state-backed attacker alerts after reconstructing a March campaign that used signed downloads to deliver a PlugX variant.

16 December 2021, Baden-Wuerttemberg, Rottweil: A hacker software is open on a laptop. Photo: Silas Stein/dpa (Photo by Silas Stein/picture alliance via Getty Images)
Image
Image
Image

Overview

  • Researchers say an adversary-in-the-middle captive-portal redirect sent targets to a fake Adobe plugin site that delivered a signed downloader named AdobePlugins.exe.
  • The downloader, tracked as STATICPLUGIN and signed with a GlobalSign certificate issued to Chengdu Nuoxin, side-loaded CANONSTAGER to run the SOGU.SEC PlugX backdoor in memory.
  • About two dozen victims downloaded the malware, with most believed to be diplomats in Southeast Asia, though the full scope of data loss remains unclear.
  • GTIG attributes the operation to UNC6384 with overlaps to clusters commonly tracked as Mustang Panda, TEMP.Hex, and Silk Typhoon.
  • Google blocked associated domains and hashes via Safe Browsing, notified affected Gmail and Workspace users, shared IoCs and YARA rules, and advised treating Chengdu Nuoxin–signed binaries as untrusted as the initial edge-device compromise vector is still under investigation.