← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
IOC&TTP - Deception in Depth PRC-Nexus Espionage Campaign Hijacks Web Traffic to Target Diplomats
WHITE UNC6384 celestre 2025-08-27 Modified: 2025-09-25
15
IOCs
MEDIUM VOLUME
2025年3月,Google Threat Intelligence Group(GTIG)发现一个复杂的网络间谍活动,由中国(PRC)关联的威胁组织 UNC6384 发起。该行动主要针对东南亚的外交人员,同时波及其他全球实体。攻击者利用 强制门户劫持(captive portal hijack),通过中间人攻击(AitM)将受害者浏览器重定向至伪造的插件更新页面,从而投递数字签名的恶意下载器 STATICPLUGIN,最终在内存中部署后门 SOGU.SEC(PlugX变种)。整个攻击链条结合了社会工程、有效代码签名证书、DLL侧加载和内存加载技术,以规避检测。该行动被认为服务于中国国家战略利益,特别是针对外交与政府相关目标的情报收集。
prc-nexussocial engineeringin-memory executionespionagecanonstagersogu.secdigital signaturesstaticplugincaptive portal
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
STATICPLUGIN CANONSTAGER SOGU.SEC
Indicators of Compromise (6 / 15 total)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 domain
TYPEINDICATORDESCRIPTIONCREATED
FileHash-SHA256 3299866538aff40ca85276f87dd0cefe4eafe167bd64732d67b06af4f3349916 2025-08-27
FileHash-SHA256 4ed76fa68ef9e1a7705a849d47b3d9dcdf969e332bd5bcb68138579c288a16d3 2025-08-27
FileHash-SHA256 65c42a7ea18162a92ee982eded91653a5358a7129c7672715ce8ddb6027ec124 2025-08-27
FileHash-SHA256 cc4db3d8049043fa62326d0b3341960f9a0cf9b54c2fbbdffdbd8761d99add79 2025-08-27
FileHash-SHA256 d1626c35ff69e7e5bde5eea9f9a242713421e59197f4b6d77b914ed46976b933 2025-08-27
FileHash-SHA256 e787f64af048b9cb8a153a0759555785c8fd3ee1e8efbca312a29f2acb1e4011 2025-08-27
References (1)
↗ https://cloud.google.com/blog/topics/threat-intelligence/prc-nexus-espionage-targets-diplomats