A China-linked cyberespionage group has been hijacking web traffic to infect diplomats and other entities with the PlugX backdoor, Google Threat Intelligence Group (GTIG) reports.
The campaign, attributed to UNC6384 and believed to be associated with Mustang Panda (also tracked as Basin, Bronze President, Earth Preta, Red Delta, and Temp.Hex), was identified in March 2025, disguising the malicious payloads as software or plugin updates.
As part of the attacks, the attackers have used a captive portal redirect (a network setup that first directs to a webpage, such as a login page, before granting internet access) to deliver the StaticPlugin malware downloader, which in turn deploys a loader for the PlugX backdoor in memory.
“This multi-stage attack chain leverages advanced social engineering including valid code signing certificates, an adversary-in-the-middle (AitM) attack, and indirect execution techniques to evade detection,” GTIG explained.
The attacks start with the victim’s browser checking if it was behind a captive portal, such as the “gstatic.com” domain hardcoded in Chrome.
According to Google, UNC6384 has been using compromised edge devices on the target networks to mount an AitM attack and redirect the victims to a landing page under its control, for malware delivery.
Next, multiple social engineering techniques are used to convince the victim that a software update is needed and to trick them into downloading the malware downloader posing as an Adobe plugin update.
The fake installer was seen initiating a multi-stage deployment chain designed to evade detection and maintain stealth, culminating with the execution of the backdoor.
The StaticPlugin malware downloader was signed with a digital certificate issued by GlobalSign for Chengdu Nuoxin Times Technology Co., Ltd., helping it to evade endpoint security protections.
According to GTIG, at least 25 other malware samples have been signed with certificates issued for this company and are employed by various Chinese APTs in attacks. Two of these campaigns show similarities with the newly identified UNC6384 attacks.
Staticplugin executes the CanonStager malware loader in memory, via DLL side-loading, which in turn abuses various legitimate Windows features to execute the final payload, a PlugX variant commonly used by UNC6384 in attacks.
The backdoor collects system information, can upload and download files from its command-and-control (C&C) server, and executes a remote command shell.
“The use of advanced techniques such as AitM combined with valid code signing and layered social engineering demonstrates this threat actor’s capabilities,” GTIG notes, adding that it has seen Chinese APTs increasingly focusing on detection evasion tactics.
Related: Chinese APT Mustang Panda Updates, Expands Arsenal
Related: New Research Links VPN Apps, Highlights Security Deficiencies
Related: Living Off the “Edge” of the Land
Related:Downloads of DeepSeek’s AI Apps Paused in South Korea Over Privacy Concerns
