Chinese UNC6384 Hackers Use Valid Code-Signing Certificates to Evade Detection

Google Threat Intelligence Group (GTIG) has uncovered a multifaceted cyber espionage operation attributed to the PRC-nexus threat actor UNC6384, believed to be associated with TEMP.Hex (also known as Mustang Panda).

This campaign, aligned with China’s strategic interests, primarily targeted diplomats in Southeast Asia alongside global entities, employing advanced tactics such as adversary-in-the-middle (AitM) attacks, captive portal hijacks, and digitally signed malware to facilitate stealthy intrusions.

Sophisticated Espionage Campaign

By hijacking web traffic through compromised edge devices, attackers redirected victims to malicious sites mimicking legitimate software updates, ultimately deploying the SOGU.SEC backdoor (a variant of PlugX) for persistent access and data exfiltration.

GTIG’s analysis reveals a multi-stage attack chain that leverages valid code-signing certificates to bypass endpoint defenses, highlighting the group’s evolving capabilities in evasion and social engineering.

The operation begins with a captive portal hijack, exploiting browser checks to hardcoded URLs like http://www.gstatic.com/generate_204, redirecting traffic via AitM to attacker-controlled domains such as mediareleaseupdates[.]com, secured with Let’s Encrypt TLS certificates.

Victims encounter a deceptive landing page urging the installation of a fake “Adobe Plugin” update, complete with HTTPS encryption to avoid browser warnings and enable encrypted malware delivery.

Multi-Stage Malware Delivery

Upon interaction, JavaScript from style3.js triggers the download of AdobePlugins.exe, a digitally signed downloader tracked as STATICPLUGIN, certified by Chengdu Nuoxin Times Technology Co., Ltd. via GlobalSign.

Signed on May 9, 2025, this binary masquerades as a Microsoft Visual C++ 2013 Redistributable installer, using Windows COM Installer objects to fetch an MSI package disguised as a BMP file, which deploys the CANONSTAGER DLL through side-loading.

CANONSTAGER, executed via cnmpaui.exe (a legitimate Canon IJ Printer Assistant Tool), employs sophisticated obfuscation including custom API hashing stored in Thread Local Storage (TLS) arrays to resolve functions like GetCurrentDirectoryW, evading static analysis.

It further abuses Windows features such as custom window procedures, message queues, and WM_SHOWWINDOW messages for indirect code execution, creating hidden overlapped windows and dispatching messages asynchronously to decrypt and launch the RC4-encrypted SOGU.SEC payload from cnmplog.dat using EnumSystemGeoID callbacks.

This in-memory deployment ensures no disk-based artifacts, blending with legitimate system activity.

SOGU.SEC, a heavily obfuscated backdoor, enables system reconnaissance, file transfers, and remote shell execution, communicating over HTTPS to C2 IP 166.88.2[.]90 with a custom User-Agent mimicking MSIE 9.0.

GTIG attributes this to UNC6384 based on TTP overlaps, including Southeast Asian targeting, DLL side-loading, and shared C2 infrastructure with TEMP.Hex.

The use of Chengdu Nuoxin-signed malware dates back to 2023, with 25 tracked samples across PRC-nexus clusters, raising questions about certificate compromise or complicity.

Google has mitigated by issuing government-backed alerts, updating Safe Browsing lists, and enhancing SecOps intelligence.

Defenders are urged to enable Enhanced Safe Browsing, patch devices, and implement 2-Step Verification, while monitoring for indicators like mutex KNbgxngdS and registry keys under HKCUSOFTWAREMicrosoftWindowsCurrentVersionRunCanonPrinter.

Indicators of Compromise (IOCs)

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!