PRC-Nexus Espionage Campaign Hijacks Web Traffic to Target Diplomats

Aug. 26, 2025, 8:13 a.m.

Description

A sophisticated cyber espionage campaign attributed to the PRC-nexus threat actor UNC6384 targeted diplomats in Southeast Asia and other global entities. The attack chain involved hijacking web traffic through a captive portal redirect to deliver malware disguised as software updates. The multi-stage attack utilized advanced social engineering, adversary-in-the-middle techniques, and evasion tactics. The malware payload, SOGU.SEC backdoor, was deployed through a digitally signed downloader (STATICPLUGIN) and a side-loaded DLL (CANONSTAGER). The campaign demonstrated the evolving capabilities of PRC-nexus threat actors, employing stealthy tactics to avoid detection and leveraging legitimate Windows features for malicious purposes.

External References

https://cloud.google.com/blog/topics/threat-intelligence/prc-nexus-espionage-targets-diplomats
https://otx.alienvault.com/pulse/68acfa70f85ead1f5b1f64d3
Tags
espionage
social engineering
in-memory execution
2025-08-26
prc-nexus
canonstager
sogu.sec
digital signatures
staticplugin
captive portal

Date

  • Created: Aug. 26, 2025, 12:06 a.m.
  • Published: Aug. 26, 2025, 12:06 a.m.
  • Modified: Aug. 26, 2025, 8:13 a.m.

Indicators

  • e787f64af048b9cb8a153a0759555785c8fd3ee1e8efbca312a29f2acb1e4011
  • d1626c35ff69e7e5bde5eea9f9a242713421e59197f4b6d77b914ed46976b933
  • cc4db3d8049043fa62326d0b3341960f9a0cf9b54c2fbbdffdbd8761d99add79
  • 65c42a7ea18162a92ee982eded91653a5358a7129c7672715ce8ddb6027ec124
  • 4ed76fa68ef9e1a7705a849d47b3d9dcdf969e332bd5bcb68138579c288a16d3
  • 3299866538aff40ca85276f87dd0cefe4eafe167bd64732d67b06af4f3349916
  • 166.88.2.90
  • 103.79.120.72
  • mediareleaseupdates.com
Download all indicators here!

Attack Patterns

  • SOGU.SEC
  • CANONSTAGER
  • STATICPLUGIN
  • UNC6384

Additional Informations

  • Government