PRC-Nexus Espionage Campaign Hijacks Web Traffic to Target Diplomats
Essential information
- Published
- 26/08/2025 00:06
- Modified
- 26/08/2025 08:13
- Tags
- 2025-08-26 canonstager captive portal digital signatures espionage in-memory execution prc-nexus social engineering sogu.sec staticplugin
- Related entities
- 9 observables, 1 intrusion sets (apt), 20 techniques (mitre), 3 malware, 1 others
Description
A sophisticated cyber espionage campaign attributed to the PRC-nexus threat actor UNC6384 targeted diplomats in Southeast Asia and other global entities. The attack chain involved hijacking web traffic through a captive portal redirect to deliver malware disguised as software updates. The multi-stage attack utilized advanced social engineering, adversary-in-the-middle techniques, and evasion tactics. The malware payload, SOGU.SEC backdoor, was deployed through a digitally signed downloader (STATICPLUGIN) and a side-loaded DLL (CANONSTAGER). The campaign demonstrated the evolving capabilities of PRC-nexus threat actors, employing stealthy tactics to avoid detection and leveraging legitimate Windows features for malicious purposes.