Deception in Depth: PRC-Nexus ... Note

Deception in Depth: PRC-Nexus Espionage Campaign Hijacks Web Traffic to Target Diplomats

Google Threat Intelligence Group identified a complex cyber espionage campaign by PRC-nexus actor UNC6384 targeting Southeast Asian diplomats. This campaign uses a captive portal hijack to redirect users to a malicious website. A digitally signed downloader, STATICPLUGIN, is then delivered to initiate the attack. The ultimate goal is the in-memory deployment of the SOGU.SEC backdoor, also known as PlugX. The attack chain employs advanced social engineering, including valid code signing certificates and adversary-in-the-middle techniques. Google is actively protecting users by alerting affected individuals and enhancing security measures. They have also added identified malicious resources to the Google Safe Browsing list. The malware payloads are disguised as software or plugin updates to deceive targets. The campaign utilizes a captive portal hijack, masquerading as an Adobe Plugin update, to deliver the initial malware. The landing page mimics legitimate software update sites and uses HTTPS with a valid TLS certificate for increased credibility. Google advises users to enable Enhanced Safe Browsing, keep devices updated, and use 2-Step Verification.
CdXz5zHNQW_TP1M7SZQDA.png