A recent investigation by Google’s security researchers has revealed a cyber operation linked to China that is targeting diplomats in Southeast Asia. The group behind the activity, tracked as UNC6384, has been found hijacking web traffic through deceptive Wi-Fi login pages.
Instead of providing legitimate internet access, these portals imitated VPN sign-ins or software updates. Unsuspecting users were then tricked into downloading a file known as STATICPLUGIN. That downloader served as the delivery mechanism for SOGU.SEC, a newly modified version of the notorious PlugX malware, long associated with Chinese state-backed operations.
What makes this campaign particularly dangerous is the use of a legitimate digital certificate to sign the malware.
This allowed it to slip past traditional endpoint defenses. Once active, the backdoor enabled data theft, internal movement across networks, and persistent monitoring of sensitive systems.
Google noted that the attackers relied on adversary-in-the-middle techniques to blend malicious activity with regular network traffic.
Redirectors controlled by the group were used to reroute connections through their fake portals, ensuring victims remained unaware of the compromise.
Content was cut in order to protect the source.Please visit the source for the rest of the article.
The choice of targets reflects Beijing’s broader regional ambitions. Diplomatic staff and foreign service officers often handle classified information relating to alliances, trade talks, and geopolitical strategies.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: