The Spy on the Network: How a Chinese APT Group Is Hijacking Wi-Fi to Target Diplomats
The Chinese group UNC6384 has launched a series of attacks against diplomats in Southeast Asia and several other countries, acting in the interests of Beijing. The campaign, observed by Google Threat Intelligence Group in the spring of 2025, was marked by a multi-layered scheme involving social engineering, man-in-the-middle attacks, spoofed authentication portals, and even digital certificates issued by trusted authorities. This combination enabled the deployment of one of China’s most infamous espionage tools—PlugX.
The attack chain began with the browser’s test request to gstatic.com to verify internet connectivity. At this stage, the attackers substituted the Wi-Fi login page with their own site, prompting victims to install a supposed Adobe Plugin update. The site used HTTPS and a Let’s Encrypt certificate, creating the illusion of authenticity.
The victim would download AdobePlugins.exe, a loader for STATICPLUGIN. This module was signed with a legitimate certificate from Chengdu Nuoxin Times Technology Co., Ltd, issued by GlobalSign. Through it, an MSI package was retrieved from the same domain, triggering the execution of the DLL library CANONSTAGER and injecting into memory the primary payload—a customized PlugX variant named SOGU.SEC. For stealthy execution, attackers exploited the Canon IJ Printer Assistant Tool by inserting the malicious library cnmpaui.dll.
PlugX, also known as Korplug or SOGU, has been in use since 2008 and remains a cornerstone of Chinese cyber-espionage operations. It can log keystrokes, exfiltrate and upload files, control a remote command shell, and load additional modules. The malware is distributed through phishing emails, USB drives, compromised websites, and counterfeit installers. Though succeeded by the more sophisticated ShadowPad backdoor, PlugX continues to see active deployment.
Google highlights that UNC6384 shares both tactical overlaps and toolsets with Mustang Panda, also known as Bronze President, Camaro Dragon, Earth Preta, RedDelta, and other aliases. Since 2023, researchers have identified more than twenty malicious samples signed with Chengdu-issued certificates, raising pressing questions about how these credentials ended up in the attackers’ possession.
Experts believe that traffic redirection through the fake portal was achieved via compromised edge devices in target networks, though the precise intrusion vector remains uncertain. Nevertheless, the blend of connection hijacking, valid digital signatures, and social engineering illustrates the growing sophistication of UNC6384 and the broader evolution of Chinese cyber-espionage capabilities.
