In March 2025, UNC6384 ran a targeted espionage campaign against diplomatic and related organizations, employing a multi-stage, highly evasive delivery chain that culminated in the in‑memory deployment of the SOGU.SEC/PlugX backdoor. Attackers first used an adversary‑in‑the‑middle (AitM) captive‑portal hijack to redirect victims’ browsers to a convincing "plugin update" landing page served over HTTPS with a valid TLS certificate, removing obvious browser warnings and increasing the likelihood of user interaction. From there, a digitally signed downloader (STATICPLUGIN) was fetched and executed, which retrieved an MSI disguised as media content; that MSI installed files that enabled DLL side‑loading of a novel stager (CANONSTAGER) and final payload execution entirely in memory.
Separate reporting shows UNC6384 specifically weaponized the ZDI‑CAN‑25373 Windows shortcut vulnerability (a zero‑day) as part of these campaigns, using the flaw to gain initial code execution and to distribute PlugX variants against diplomatic targets in Hungary and Belgium. The exploitation of a shortcut parsing bug and other Windows weaknesses enabled the threat actor to expand their initial foothold, while techniques such as valid code signing, HTTPS hosting, and carefully crafted social engineering minimized detection and user suspicion.
The adversary’s operational tradecraft is clear: Perform AitM redirects or spearphishing attacks for initial access, leverage legitimate digital‑trust signals to bypass defenses, deploy multi‑stage payloads that culminate in fileless backdoors, and selectively target diplomatic communities.
In this post, we will explore the major historical operations of UNC6384, highlight their notable campaigns against diplomatic and related organizations, and examine the group’s tactics, techniques, and procedures to understand how they conduct cyber attacks. In the end, we will show how Picus helps defend against this group.
Simulate APT Attacks with 14-Day Free Trial of Picus Platform
March 2025 - Google Threat Intelligence Group (GTIG) identifies UNC6384 targeting Southeast Asia diplomatic sectors via captive‑portal hijack campaign.
September‑October 2025 - European diplomatic campaign by UNC6384 using Windows shortcut exploit (ZDI‑CAN‑25373) in Belgium, Hungary, etc.
The landing site (mediareleaseupdates[.]com) set up by UNC6384 closely mimicked a legitimate software update page but instead delivered payloads to users. It used HTTPS with a valid Let’s Encrypt certificate, shown below. Using HTTPS supports social-engineering and malware-delivery efforts by suppressing browser warnings such as "Not Secure" or "Your connection is not private", thereby reducing user suspicion [1].
|
$ openssl x509 -in mediareleaseupdates.pem -noout -text -fingerprint -sha256 |
UNC6384 used a captive portal hijack to deliver malware disguised as an Adobe Plugin update to selected targets. Captive portals redirect users to a designated webpage, often a login or splash screen, before granting internet access, and browsers support this behavior by design. Chrome, for example, issues an HTTP request to a hardcoded URL ("http://www.gstatic.com/generate_204") to enable this redirect mechanism. Although gstatic.com is a legitimate domain, redirect chains were observed that led from this domain to a malicious landing page (mediareleaseupdates[.]com/AdobePlugins.html), culminating in malware delivery. The activity likely relied on compromised edge devices within target networks, though the initial method used to breach those devices remains unknown [1].
UNC6384 targeted diplomats from different countries with targeted spear-phishing emails styled around diplomatic meetings and high-profile conferences. These messages reference events such as European Commission sessions on border facilitation and NATO defense procurement workshops, enticing recipients to open attached shortcut files. The attached LNK files abuse the Windows vulnerability tracked as ZDI-CAN-25373, which enables covert command execution by inserting whitespace padding into the COMMAND_LINE_ARGUMENTS structure. One observed lure carried the filename "Agenda_Meeting 26 Sep Brussels.lnk", showing the tailored, event-themed approach used to deliver the payload [2].
In a UNC6384 campaign, a LNK file launches PowerShell with an obfuscated command that decodes a tar archive named rjnlzlkfe.ta and saves it to the AppData\Local\Temp directory. It then uses tar.exe -xvf to extract the archive and runs cnmpaui.exe to achieve DLL side-loading [2].
In a UNC6384 campaign, the website they set up to deliver malware contained a button labeled "Install Missing Plugins…". Clicking this button triggered the automatic download of AdobePlugins.exe via JavaScript in the file style3.js and changed the page’s background to an image showing instructions for executing the downloaded binary and bypassing potential Windows security protections. Below are the HTML that loads the JavaScript file and the JavaScript file itself [1]:
|
<head> |
|
function myFunction() |
The malware maintains persistence by creating a hidden directory within the user profile, selecting from varied names such as "SamsungDriver", "Intelnet", "VirtualFile", "SecurityScan", or "DellSetupFiles", and copying its extracted files there. It then modifies the registry under Software\Microsoft\Windows\CurrentVersion\Run, adding a value named CanonPrinter that points to the copied cnmpaui.exe, ensuring execution at startup. On each system launch, the directory name may change, and all files are moved to the new location, hindering detection methods that rely on fixed paths and complicating forensic tracing [2].
CANONSTAGER (cnmpaui.dll) employs advanced anti-analysis techniques. It uses custom API hashing to obfuscate the Windows APIs it needs to function [1]. Instead of containing direct, readable import references to functions like VirtualAlloc or CreateThread (which security products heavily monitor), the malware calculates a hash of these function names. It then searches system libraries in memory for matching hashes, thereby dynamically resolving the function addresses at runtime. This makes static analysis of the malware's import table useless.
The malware payload used in one of the UNC6384 campaigns was named AdobePlugins.exe to impersonate a legitimate Adobe software component [1].
The actor-controlled MSI package is named 20250509.bmp. By giving the package a .bmp (bitmap image) file extension, the attackers attempt to evade simple network-based defenses or logging that might be monitoring for .msi or .exe downloads [1].
This technique is used in conjunction with Dynamic API Resolution. Once CANONSTAGER finds the memory addresses of the required Windows APIs, it stores these function pointers in the Thread Local Storage (TLS) array. When the malware needs to call one of these functions, it retrieves the address from the TLS array using an offset.
The following shows how CANONSTAGER locates and saves the address of the GetCurrentDirectoryW function [1]:
|
push 6501CBE1h ; GetCurrentDirectoryW |
The CANONSTAGER loader deployed by UNC6384 decrypts cnmplog.dat, an RC4-encrypted file containing the PlugX payload, using a hardcoded 16-byte key (eQkiwoiuDsvIPsmd), then injects the decrypted PlugX code into the memory space of the legitimately signed cnmpaui.exe (Canon IJ Printer Assistant Tool), allowing the malware to run inside a trusted process and avoid detection by mechanisms that rely on process reputation or executable file analysis [2].
A first-stage downloader (AdobePlugins.exe) delivered by UNC6384 was distributed as a digitally signed binary, using a certificate issued by GlobalSign to Chengdu Nuoxin Times Technology Co., Ltd. Signed malware gains a significant advantage because endpoint defenses and users often trust files with valid digital signatures. That apparent legitimacy makes the malicious file harder for both people and automated systems to detect.
Chengdu Nuoxin Times Technology Co., Ltd appears repeatedly across related activity: at least 25 malware samples signed with its certificates are in use by multiple PRC‑nexus clusters, with many examples visible on public malware repositories. Signed malware tied to this subscriber dates back to at least January 2023, and the connection to PRC‑nexus operations continues to be monitored [1].
Some of the UNC6384’s campaigns leveraged DLL sideloading to execute a malicious payload through legitimate software. The operation used three dropped files: cnmpaui.exe, a legitimate signed Canon IJ Printer Assistant Tool; cnmpaui.dll, a malicious loader known as CANONSTAGER (S1237); and cnmplog.dat, an RC4-encrypted payload identified as SOGU.SEC (PlugX) backdoor. By placing the malicious cnmpaui.dll alongside the legitimate executable (cnmpaui.exe), the technique abused Windows’ DLL search order to ensure the trusted application loaded the attacker’s code. This approach enabled loading of the CANONSTAGER while maintaining the appearance of a legitimate process [1] [2].
We also strongly suggest simulating UNC6384 Attacks to test the effectiveness of your security controls against real-life cyber attacks using the Picus Security Validation Platform. You can also test your defenses against hundreds of other threat groups within minutes with a 14-day free trial of the Picus Platform.
Picus Threat Library includes the following threats for UNC6384:
|
Threat ID |
Threat Name |
Attack Module |
|
54677 |
PlugX Malware Dropper Download Threat |
Network Infiltration |
|
42715 |
PlugX Malware Downloader Download Threat |
Network Infiltration |
|
71784 |
PlugX Malware Dropper Email Threat |
E-mail Infiltration |
|
88421 |
PlugX Malware Downloader Email Threat |
E-mail Infiltration |
Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of the Picus Security Validation Platform.
References
[1] "PRC-Nexus Espionage Campaign Hijacks Web Traffic to Target Diplomats," Google Cloud Blog. Accessed: Nov. 03, 2025. [Online]. Available: https://cloud.google.com/blog/topics/threat-intelligence/prc-nexus-espionage-targets-diplomats
[2] A. W. Labs, "UNC6384 Weaponizes ZDI-CAN-25373 Vulnerability to Deploy PlugX Against Hungarian and Belgian Diplomatic Entities," Arctic Wolf. Accessed: Nov. 03, 2025. [Online]. Available: https://arcticwolf.com/resources/blog/unc6384-weaponizes-zdi-can-25373-vulnerability-to-deploy-plugx/