A stealthy espionage marketing campaign emerged in early 2025 focusing on diplomats and authorities entities in Southeast Asia and past.
On the coronary heart of this operation lies STATICPLUGIN, a downloader meticulously disguised as a reliable Adobe plugin replace.
Victims encountered a captive portal hijack that redirected browsers to malicious domains, the place an HTTPS-secured touchdown web page prompted customers to “Set up Lacking Plugins…”—a ruse to decrease suspicion and bypass browser warnings.
Malware touchdown web page (Supply -Google Cloud)
As soon as executed, the binary deployed a multi-stage chain culminating within the in-memory launch of the SOGU.SEC backdoor.
Following the preliminary compromise, STATICPLUGIN retrieves an MSI package deal masquerading as a BMP picture. Inside this package deal resides CANONSTAGER, which is DLL side-loaded to execute the encrypted payload cnmplog.dat.
This side-loading method exploits trusted Home windows elements to evade host-based defenses. Google Cloud analysts recognized this novel mixture of captive portal hijacking and legitimate code signing as a classy evolution in PRC-nexus tradecraft.
Proof signifies that Chengdu Nuoxin Instances Know-how Co., Ltd. issued the signing certificates used for STATICPLUGIN, lending the downloader false legitimacy.
These certificates, issued by GlobalSign and Let’s Encrypt, allowed the malware to bypass many endpoint safety options that belief digitally signed binaries.
Downloader with legitimate digital signature (Supply -Google Cloud)
Google Cloud researchers famous that though the unique certificates expired on July 14, 2025, UNC6384 seemingly re-signs subsequent construct iterations to keep up uninterrupted stealth.
Detailed evaluation of CANONSTAGER reveals unconventional evasion techniques. The launcher resolves Home windows API addresses utilizing a customized hashing algorithm and shops them in Thread Native Storage (TLS), an atypical location which will go unnoticed by monitoring instruments.
Instance of storing operate addresses in TLS array (Supply -Google Cloud)
By invoking these features not directly via a hidden window process and dispatching a WM_SHOWWINDOW message, CANONSTAGER conceals its true management circulation inside reliable Home windows message queues.
Overview of CANONSTAGER execution utilizing Home windows message queue (Supply -Google Cloud)
Detection Evasion via In-Reminiscence Execution
One in all UNC6384’s most outstanding improvements lies in its end-to-end in-memory execution. After establishing the hidden window and resolving APIs, CANONSTAGER creates a brand new thread to decrypt cnmplog.dat utilizing a hardcoded 16-byte RC4 key.
Slightly than writing the decrypted SOGU.SEC payload to disk, the launcher invokes EnumSystemGeoID as a callback operate to execute the backdoor immediately in reminiscence.
This method denies defenders invaluable forensic artifacts, as no malicious binary resides on disk.
Furthermore, communications with the C2 server at 166.88.2.90 happen over HTTPS, mixing with regular internet visitors and additional complicating network-based detection.
The preliminary JavaScript triggers the obtain of AdobePlugins.exe, setting the stage for in-memory execution. By avoiding disk writes and leveraging legitimate certificates, UNC6384 has raised the bar for malware stealth.
As Google Cloud analysts proceed to observe this marketing campaign, defenders are urged to examine reminiscence artifacts, implement strict code-signing insurance policies, and allow Enhanced Protected Shopping to detect anomalous TLS certificates and captive portal hijacks.
Enhance your SOC and assist your crew shield your corporation with free top-notch risk intelligence: Request TI Lookup Premium Trial.
