Google’s Threat Intelligence Group has uncovered a cyber espionage campaign of a PRC-linked threat actor, which it tracks as UNC6384, using captive portals and adversary-in-the-middle tactics to target diplomats across Southeast Asia.
Captive portals are the type of sign-in pages familiar to anyone who has logged into hotel Wi-Fi. Instead of leading to a legitimate login, these portals mimicked VPN services or software update pages to deceive victims.
Once a victim visited, they were served a digitally signed downloader tracked as STATICPLUGIN, which in turn deployed SOGU.SEC, a variant of the notorious PlugX backdoor. PlugX has long been associated with Chinese state-backed intrusion playbook. But this latest variant was delivered through an updated tradecraft designed to avoid detection.
Technical Details
-
Delivery Mechanism: The malware was signed with a legitimate digital certificate, allowing it to bypass endpoint defenses.
-
Execution Techniques: UNC6384 used indirect execution and adversary-in-the-middle (AitM) techniques to blend with normal traffic and avoid signature-based detection.
-
Data Collection: Once inside, SOGU.SEC enabled lateral movement, file exfiltration, and ongoing surveillance of sensitive diplomatic systems.
-
Infrastructure: The group operated attacker-controlled redirectors, which intercepted traffic and funneled it through malicious portals.
Google said it notified the compromised organizations via government-backed alerts and sharing malicious domains and file hashes that were also added to its Safe Browsing feature.
Why Diplomats?
UNC6384’s targeting of diplomats has the geopolitical underpinnings of the campaign. The group zeroed in on government agencies, embassies and foreign service workers operating in Southeast Asia—an area where China has pressing economic and strategic interests. Unlike ransomware or financially motivated operations, this activity reflects the calculated objectives of a nation-state adversary.
Diplomats are high-value strategic targets. By embedding themselves in their systems, attackers can gain insight into negotiations, policy positions, and alliances. According to recent analysis, Chinese APT groups are increasingly focusing on strategic pre-positioning in critical infrastructure and supply chains, often leveraging edge devices, software frameworks with minimal endpoint defenses, and “living-off-the-land” techniques to ensure persistence and stealth.
