← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
PRC-Nexus Espionage Campaign Hijacks Web Traffic to Target Diplomats | Google Cloud Blog
WHITE Nexus Espionage CyberHunter_NL 2025-08-27 Modified: 2025-09-26
26
IOCs
MEDIUM VOLUME
Google has identified and identified a Chinese government-backed cyber espionage campaign that targeted diplomats in Southeast Asia in March 2025 and is likely to have been carried out by a PRC-nexus threat actor.
canonstagerwindows systemwmshowwindowexitprocessdefwindowprocqueue windowsmessage queuesmessage queuewindows messagegetmessagewloopnexus espionagethreat intelligenceplugxdigitally signedsignedunc6384sogu.sec
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
Threat Intelligence PlugX Digitally Signed Signed UNC6384 SOGU.SEC
Indicators of Compromise (26)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 SSLCertFingerprint YARA domain
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 00c9a545c4fd77c19a490f5637025f3f MD5 of 3299866538aff40ca85276f87dd0cefe4eafe167bd64732d67b06af4f3349916 2025-08-27
FileHash-MD5 0538e73fc195c3b4441721d4c60d0b96 MD5 of 4ed76fa68ef9e1a7705a849d47b3d9dcdf969e332bd5bcb68138579c288a16d3 2025-08-27
FileHash-MD5 42edaf7ea36a17c9c96465fe68c15dcd MD5 of d1626c35ff69e7e5bde5eea9f9a242713421e59197f4b6d77b914ed46976b933 2025-08-27
FileHash-MD5 52f42a40d24e1d62d1ed29b28778fc45 MD5 of 65c42a7ea18162a92ee982eded91653a5358a7129c7672715ce8ddb6027ec124 2025-08-27
FileHash-MD5 df4a0fa496e7971e9a5fa481dfb83725 MD5 of cc4db3d8049043fa62326d0b3341960f9a0cf9b54c2fbbdffdbd8761d99add79 2025-08-27
FileHash-MD5 f24fe0e35630a1d278e0b617ba1b94cb MD5 of c8744b10180ed59bf96cf79d7559249e9dcf0f90 2025-08-27
FileHash-MD5 fa71d60e43da381ad656192a41e38724 MD5 of e787f64af048b9cb8a153a0759555785c8fd3ee1e8efbca312a29f2acb1e4011 2025-08-27
FileHash-SHA1 080d8e82afed9237e368e1bb466437d75c9c842b SHA1 of d1626c35ff69e7e5bde5eea9f9a242713421e59197f4b6d77b914ed46976b933 2025-08-27
FileHash-SHA1 1ab2cda09723168e6a595402901a401e5f052e9f SHA1 of 65c42a7ea18162a92ee982eded91653a5358a7129c7672715ce8ddb6027ec124 2025-08-27
FileHash-SHA1 31ece4baeea8a6c94dd6b5cfa27b1a23b197ebdd SHA1 of e787f64af048b9cb8a153a0759555785c8fd3ee1e8efbca312a29f2acb1e4011 2025-08-27
FileHash-SHA1 6451769fb0612bd9bae9e1d3f5f4e89f2e12a083 SHA1 of cc4db3d8049043fa62326d0b3341960f9a0cf9b54c2fbbdffdbd8761d99add79 2025-08-27
FileHash-SHA1 907edc808da7c5feb175e9aa5dca3aed934a1331 SHA1 of 3299866538aff40ca85276f87dd0cefe4eafe167bd64732d67b06af4f3349916 2025-08-27
FileHash-SHA1 baa569318144905563b469a5a006ad54eb616a02 SHA1 of 4ed76fa68ef9e1a7705a849d47b3d9dcdf969e332bd5bcb68138579c288a16d3 2025-08-27
FileHash-SHA1 c8744b10180ed59bf96cf79d7559249e9dcf0f90 2025-08-27
FileHash-SHA1 eca96bd74fb6b22848751e254b6dc9b8e2721f96 2025-08-27
FileHash-SHA256 3299866538aff40ca85276f87dd0cefe4eafe167bd64732d67b06af4f3349916 2025-08-27
FileHash-SHA256 4ed76fa68ef9e1a7705a849d47b3d9dcdf969e332bd5bcb68138579c288a16d3 2025-08-27
FileHash-SHA256 65c42a7ea18162a92ee982eded91653a5358a7129c7672715ce8ddb6027ec124 2025-08-27
FileHash-SHA256 6d473212d0cb7ab33a738807745b6cf151a2b5c331656774df59e1a4e2230468 SHA256 of c8744b10180ed59bf96cf79d7559249e9dcf0f90 2025-08-27
FileHash-SHA256 cc4db3d8049043fa62326d0b3341960f9a0cf9b54c2fbbdffdbd8761d99add79 2025-08-27
FileHash-SHA256 d1626c35ff69e7e5bde5eea9f9a242713421e59197f4b6d77b914ed46976b933 2025-08-27
FileHash-SHA256 e787f64af048b9cb8a153a0759555785c8fd3ee1e8efbca312a29f2acb1e4011 2025-08-27
SSLCertFingerprint 6d:47:32:12:d0:cb:7a:b3:3a:73:88:07:74:5b:6c:f1:51:a2:b5:c3:31:65:67:74:df:59:e1:a4:e2:23:04:68 2025-08-27
YARA 95a89dff5e42614e30ba6aab6623133043f6f122 CANONSTAGER is a side-loaded DLL launcher used to decrypt and execute a payload in-memory. 2025-08-27
YARA 9e82021ffd943c51b1a164832ea5a6d28b16dec7 STATICPLUGIN is a downloader observed to retrieve an MSI packaged payload from a hard-coded C2 domain. 2025-08-27
domain mediareleaseupdates.com 2025-08-27
References (1)
↗ https://cloud.google.com/blog/topics/threat-intelligence/prc-nexus-espionage-targets-diplomats/