PRC-Nexus Espionage Campaign Hijacks Web Traffic to Target Diplomats

SUMMARY :

A sophisticated cyber espionage campaign attributed to the PRC-nexus threat actor UNC6384 targeted diplomats in Southeast Asia and other global entities. The attack chain involved hijacking web traffic through a captive portal redirect to deliver malware disguised as software updates. The multi-stage attack utilized advanced social engineering, adversary-in-the-middle techniques, and evasion tactics. The malware payload, SOGU.SEC backdoor, was deployed through a digitally signed downloader (STATICPLUGIN) and a side-loaded DLL (CANONSTAGER). The campaign demonstrated the evolving capabilities of PRC-nexus threat actors, employing stealthy tactics to avoid detection and leveraging legitimate Windows features for malicious purposes.

OPENCTI LABELS :

espionage,social engineering,in-memory execution,prc-nexus,canonstager,sogu.sec,digital signatures,staticplugin,captive portal


AI COMMENTARY :

1. Executive Summary: The report titled “PRC-Nexus Espionage Campaign Hijacks Web Traffic to Target Diplomats” unveils a sophisticated cyber espionage operation orchestrated by the PRC-nexus threat actor UNC6384. This campaign exploited a captive portal redirect to infiltrate the networks of diplomats in Southeast Asia and other global entities, leveraging advanced social engineering, adversary-in-the-middle techniques, and evasive tactics to deploy a stealthy backdoor known as SOGU.SEC.

2. Campaign Mechanics: Attackers initiated the intrusion by hijacking web traffic via a compromised captive portal, seamlessly redirecting users to malicious update pages. Once unwitting victims attempted to install what appeared to be legitimate software updates, the multi-stage chain triggered the download of a digitally signed installer named STATICPLUGIN, which in turn staged the payload for execution.

3. Social Engineering and Adversary Techniques: The operation relied heavily on social engineering to convince targets that the update prompts were genuine. UNC6384 exploited user trust and familiarity with system notifications, combining this ruse with adversary-in-the-middle interception to deliver malicious code without raising immediate suspicion or triggering standard security alerts.

4. Malware Arsenal and Delivery: Central to the intrusion was STATICPLUGIN, a signed downloader that fetched and installed the SOGU.SEC backdoor. To further obscure the payload, attackers employed a side-loaded DLL dubbed CANONSTAGER, enabling in-memory execution of malicious components. This dual-tool approach ensured the backdoor could be introduced and activated with minimal footprint on disk, complicating forensic analysis.

5. Evasion and Stealth Tactics: Throughout the campaign, UNC6384 leveraged legitimate Windows features and digital signatures to dodge detection. In-memory execution techniques prevented traditional antivirus solutions from scanning the full payload, while signed binaries like STATICPLUGIN masked the malicious intent. The use of CANONSTAGER for DLL side-loading allowed the adversary to bypass application whitelisting and maintain persistence.

6. Threat Actor Profile and Implications: The PRC-nexus group UNC6384 has demonstrated evolving capabilities, blending espionage objectives with sophisticated tradecraft. By targeting diplomats and other high-value entities, the campaign underscores the strategic value of information stolen through cyber means and reflects a broader pattern of state-linked actors weaponizing digital infrastructure for geopolitical gain.

7. Conclusion and Recommendations: This espionage campaign highlights the need for enhanced vigilance around captive portal environments and software updates. Organizations should verify digital certificate chains, monitor for anomalous network redirects, and adopt runtime protection to inspect in-memory activities. Continuous threat intelligence sharing and user awareness training remain pivotal to countering stealthy operations like PRC-nexus’s latest foray into web traffic hijacking.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


PRC-Nexus Espionage Campaign Hijacks Web Traffic to Target Diplomats