A stealthy espionage campaign emerged in early 2025 targeting diplomats and government entities in Southeast Asia and beyond.
At the heart of this operation lies STATICPLUGIN, a downloader meticulously disguised as a legitimate Adobe plugin update.
Victims encountered a captive portal hijack that redirected browsers to malicious domains, where an HTTPS-secured landing page prompted users to “Install Missing Plugins…”—a ruse to lower suspicion and bypass browser warnings.
.webp "Chinese UNC6384 Hackers Leverages Valid Code Signing Certificates to Evade Detection 3")
Once executed, the binary deployed a multi-stage chain culminating in the in-memory launch of the SOGU.SEC backdoor.
Following the initial compromise, STATICPLUGIN retrieves an MSI package masquerading as a BMP image. Inside this package resides CANONSTAGER, which is DLL side-loaded to execute the encrypted payload cnmplog.dat.
This side-loading technique exploits trusted Windows components to evade host-based defenses. Google Cloud analysts identified this novel combination of captive portal hijacking and valid code signing as a sophisticated evolution in PRC-nexus tradecraft.
Evidence indicates that Chengdu Nuoxin Times Technology Co., Ltd. issued the signing certificates used for STATICPLUGIN, lending the downloader false legitimacy.
These certificates, issued by GlobalSign and Let’s Encrypt, allowed the malware to bypass many endpoint security solutions that trust digitally signed binaries.
.webp "Chinese UNC6384 Hackers Leverages Valid Code Signing Certificates to Evade Detection 4")
Google Cloud researchers noted that although the original certificate expired on July 14, 2025, UNC6384 likely re-signs subsequent build iterations to maintain uninterrupted stealth.
Detailed analysis of CANONSTAGER reveals unconventional evasion tactics. The launcher resolves Windows API addresses using a custom hashing algorithm and stores them in Thread Local Storage (TLS), an atypical location that may go unnoticed by monitoring tools.
.webp "Chinese UNC6384 Hackers Leverages Valid Code Signing Certificates to Evade Detection 5")
By invoking these functions indirectly through a hidden window procedure and dispatching a WM_SHOWWINDOW message, CANONSTAGER conceals its true control flow within legitimate Windows message queues.
.webp "Chinese UNC6384 Hackers Leverages Valid Code Signing Certificates to Evade Detection 6")
Detection Evasion through In-Memory Execution
One of UNC6384’s most remarkable innovations lies in its end-to-end in-memory execution. After establishing the hidden window and resolving APIs, CANONSTAGER creates a new thread to decrypt cnmplog.dat using a hardcoded 16-byte RC4 key.
Rather than writing the decrypted SOGU.SEC payload to disk, the launcher invokes EnumSystemGeoID as a callback function to execute the backdoor directly in memory.
This technique denies defenders valuable forensic artifacts, as no malicious binary resides on disk.
Moreover, communications with the C2 server at 166.88.2.90 occur over HTTPS, blending with normal web traffic and further complicating network-based detection.
The initial JavaScript triggers the download of AdobePlugins.exe, setting the stage for in-memory execution. By avoiding disk writes and leveraging valid certificates, UNC6384 has raised the bar for malware stealth.
As Google Cloud analysts continue to monitor this campaign, defenders are urged to inspect memory artifacts, enforce strict code-signing policies, and enable Enhanced Safe Browsing to detect anomalous TLS certificates and captive portal hijacks.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source link
