Shadows in the Browser: The UNC6384 Syndicate Unmasks a New PlugX Variant “Arp”

In January 2026, cybersecurity experts at the Japanese firm IIJ intercepted a novel iteration of the PlugX malware, a formidable instrument frequently deployed in targeted cyber offensives. Subsequent analysis illuminated a potential nexus between this campaign and the UNC6384 syndicate, an entity widely associated with Chinese cyberespionage operations. UNC6384 is believed to operate in close concert with Mustang Panda and is notoriously recognized for orchestrating sophisticated intrusions against governmental apparatuses across Southeast Asia, with a particular emphasis upon diplomatic missions.

This nascent variant proliferates via an executable file masquerading as a benign browser update, aptly named Browser_Updater.exe. Upon execution, the program conjures a counterfeit installation prompt; however, the insidious infection transpires entirely independent of user interaction. An MSI file is surreptitiously downloaded from a remote server, embedding the malware’s constituent components within the %LOCALAPPDATA%\pZhozR directory while simultaneously invoking the legitimate Avk.exe executable derived from the G DATA antivirus suite. Subsequently, the perpetrators employ a sophisticated library substitution technique: through DLL sideloading, the malicious Avk.dll is covertly loaded, thereby instigating the execution of the primary payload.

The architects of this malware leveraged API hashing to dynamically resolve critical system functions, notably encompassing NtCreateFile and NtReadFile. A cryptographically obscured shellcode is secreted within the AVKTray.dat file; upon decryption within the system’s volatile memory, the formidable PlugX primary payload is awakened. This labyrinthine approach profoundly confounds static analysis methodologies and significantly diminishes the probability of detection.

The malware’s architectural configuration resides within the .data section, heavily encrypted utilizing the RC4 cipher. In a stark departure from specimens unearthed prior to December 2025, this evolved iteration introduces an ancillary layer of parameter encoding preceding the encryption phase. The RC4 cryptographic key is meticulously forged from the string “VOphJokPpbbQ,” exclusively co-opting its initial six characters.

Following the arduous process of decryption and decoding, investigators successfully exfiltrated the address of the command-and-control server: fruitbrat[.]com. Deeper analytical scrutiny revealed that the responses emanating from this domain seamlessly mirror the IP address 108.165.255.97, strongly implying a symbiotic infrastructural link. Both nodes gracefully accept incoming connections via port 443.

To irrevocably anchor itself within the compromised host, the malware duplicates its files into the %public%\GData directory and meticulously forges an autostart registry key at HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\G Data. Furthermore, the string “arp” was unearthed within the configuration, ostensibly serving as the covert nomenclature for this specific campaign.

IIJ emphatically notes that PlugX activity has persevered relentlessly since the preceding year, with its architects ceaselessly refining their mechanisms of concealment. Given the striking technical concordances with previously documented armaments—as published by the Google Threat Intelligence Group—this campaign flawlessly aligns with the established operational paradigm of the UNC6384 syndicate.