{
  "name": "PRC-Nexus Espionage Campaign Hijacks Web Traffic to Target Diplomats",
  "slug": "prc-nexus-espionage-campaign-hijacks-web-traffic-to-target-diplomats",
  "description": "A sophisticated cyber espionage campaign attributed to the PRC-nexus threat actor UNC6384 targeted diplomats in Southeast Asia and other global entities. The attack chain involved hijacking web traffic through a captive portal redirect to deliver malware disguised as software updates. The multi-stage attack utilized advanced social engineering, adversary-in-the-middle techniques, and evasion tactics. The malware payload, SOGU.SEC backdoor, was deployed through a digitally signed downloader (STATICPLUGIN) and a side-loaded DLL (CANONSTAGER). The campaign demonstrated the evolving capabilities of PRC-nexus threat actors, employing stealthy tactics to avoid detection and leveraging legitimate Windows features for malicious purposes.",
  "published": "2025-08-25T22:06:08+00:00",
  "created_at": "2025-08-25T22:06:08+00:00",
  "modified_at": "2025-08-26T06:13:51+00:00",
  "created_at_opencti": "2025-08-25T22:06:08+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-08-26",
    "canonstager",
    "captive portal",
    "digital signatures",
    "espionage",
    "in-memory execution",
    "prc-nexus",
    "social engineering",
    "sogu.sec",
    "staticplugin"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "166.88.2.90"
      },
      {
        "id": "",
        "name": "103.79.120.72"
      },
      {
        "id": "",
        "name": "mediareleaseupdates.com"
      },
      {
        "id": "",
        "name": "e787f64af048b9cb8a153a0759555785c8fd3ee1e8efbca312a29f2acb1e4011"
      },
      {
        "id": "",
        "name": "d1626c35ff69e7e5bde5eea9f9a242713421e59197f4b6d77b914ed46976b933"
      },
      {
        "id": "",
        "name": "cc4db3d8049043fa62326d0b3341960f9a0cf9b54c2fbbdffdbd8761d99add79"
      },
      {
        "id": "",
        "name": "65c42a7ea18162a92ee982eded91653a5358a7129c7672715ce8ddb6027ec124"
      },
      {
        "id": "",
        "name": "4ed76fa68ef9e1a7705a849d47b3d9dcdf969e332bd5bcb68138579c288a16d3"
      },
      {
        "id": "",
        "name": "3299866538aff40ca85276f87dd0cefe4eafe167bd64732d67b06af4f3349916"
      }
    ],
    "malware": [
      {
        "id": "5cf91eb2-4d79-4af8-a2c7-08b1568c6604",
        "name": "SOGU.SEC",
        "slug": "sogusec"
      },
      {
        "id": "legacy:malware:2d9fccd082c668d8",
        "name": "CANONSTAGER",
        "slug": "canonstager"
      },
      {
        "id": "legacy:malware:453b5d3e38aca461",
        "name": "STATICPLUGIN",
        "slug": "staticplugin"
      }
    ],
    "intrusion_sets": [
      {
        "id": "legacy:intrusion:4b399306a1b83d11",
        "name": "UNC6384",
        "slug": "unc6384"
      }
    ],
    "attack_patterns": [
      {
        "id": "6f00068c-812c-4e2b-9100-2cfa86b3aed9",
        "name": "T1132.001"
      },
      {
        "id": "c22b5073-f426-4294-98bb-219d17345158",
        "name": "T1553.002"
      },
      {
        "id": "e8422fc8-8365-4a6a-a556-d6ec16cb4e5d",
        "name": "T1574.002"
      },
      {
        "id": "81b422de-709e-43bd-b471-2befac0c623a",
        "name": "T1218.011"
      },
      {
        "id": "6b2e0999-c7e8-4662-94ac-19aa8520ee46",
        "name": "T1059.003"
      },
      {
        "id": "93b2c4dd-5523-4464-8976-78754ee372fd",
        "name": "T1012"
      },
      {
        "id": "32817170-4c07-427e-b8a5-80a733ae2550",
        "name": "T1497"
      },
      {
        "id": "88fa397b-4cc9-42c0-b52d-4108f9630529",
        "name": "T1095"
      },
      {
        "id": "8598a502-2b24-4c8a-8ec3-45179f49e5b7",
        "name": "T1199"
      },
      {
        "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f",
        "name": "T1071.001"
      },
      {
        "id": "dc17cbbd-40d8-43cf-b3cf-50d1276db2c7",
        "name": "T1016"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      },
      {
        "id": "c473a756-355a-42ad-a0df-cd3a8fa006d1",
        "name": "T1057"
      },
      {
        "id": "45082a8e-9c79-470e-ad1b-decac7188e8f",
        "name": "T1083"
      },
      {
        "id": "c3af9fd7-d307-4df4-9220-cc627938fb85",
        "name": "T1055"
      },
      {
        "id": "7d7ac733-6442-416f-8669-c302dd0843b9",
        "name": "T1036"
      },
      {
        "id": "50514c04-b3a2-4abf-a855-e3a434200c87",
        "name": "T1204"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      },
      {
        "id": "5b7c66d1-0466-4ba7-af6f-eb82c2f9d05b",
        "name": "T1033"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Government"
      }
    ]
  },
  "external_refs": [
    "https://cloud.google.com/blog/topics/threat-intelligence/prc-nexus-espionage-targets-diplomats",
    "https://otx.alienvault.com/pulse/68acfa70f85ead1f5b1f64d3"
  ]
}