← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Deception in Depth PRC-Nexus Espionage Campaign Hijacks Web Traffic to Target Diplomats | IOC&TTP
IOC&TTP - Deception in Depth PRC-Nexus Espionage Campaign Hijacks Web Traffic to Target Diplomats:
2025年3月,Google Threat Intelligence Group(GTIG)发现一个复杂的网络间谍活动,由中国(PRC)关联的威胁组织 UNC6384 发起。该行动主要针对东南亚的外交人员,同时波及其他全球实体。攻击者利用 强制门户劫持(captive portal hijack),通过中间人攻击(AitM)将受害者浏览器重定向至伪造的插件更新页面,从而投递数字签名的恶意下载器 STATICPLUGIN,最终在内存中部署后门 SOGU.SEC(PlugX变种)。整个攻击链条结合了社会工程、有效代码签名证书、DLL侧加载和内存加载技术,以规避检测。该行动被认为服务于中国国家战略利益,特别是针对外交与政府相关目标的情报收集。[by celestre]
MITRE ATT&CK & Malware Families
Indicators of Compromise (10 / 25 total)
| TYPE | INDICATOR | DESCRIPTION | CREATED | |
|---|---|---|---|---|
| FileHash-SHA1 | 080d8e82afed9237e368e1bb466437d75c9c842b | SHA1 of d1626c35ff69e7e5bde5eea9f9a242713421e59197f4b6d77b914ed46976b933 | 2025-08-27 | |
| FileHash-SHA1 | 1ab2cda09723168e6a595402901a401e5f052e9f | SHA1 of 65c42a7ea18162a92ee982eded91653a5358a7129c7672715ce8ddb6027ec124 | 2025-08-27 | |
| FileHash-SHA1 | 31ece4baeea8a6c94dd6b5cfa27b1a23b197ebdd | SHA1 of e787f64af048b9cb8a153a0759555785c8fd3ee1e8efbca312a29f2acb1e4011 | 2025-08-27 | |
| FileHash-SHA1 | 6451769fb0612bd9bae9e1d3f5f4e89f2e12a083 | SHA1 of cc4db3d8049043fa62326d0b3341960f9a0cf9b54c2fbbdffdbd8761d99add79 | 2025-08-27 | |
| FileHash-SHA1 | 907edc808da7c5feb175e9aa5dca3aed934a1331 | SHA1 of 3299866538aff40ca85276f87dd0cefe4eafe167bd64732d67b06af4f3349916 | 2025-08-27 | |
| FileHash-SHA1 | 95a89dff5e42614e30ba6aab6623133043f6f122 | — | 2025-08-27 | |
| FileHash-SHA1 | 9e82021ffd943c51b1a164832ea5a6d28b16dec7 | — | 2025-08-27 | |
| FileHash-SHA1 | baa569318144905563b469a5a006ad54eb616a02 | — | 2025-08-27 | |
| FileHash-SHA1 | c8744b10180ed59bf96cf79d7559249e9dcf0f90 | — | 2025-08-27 | |
| FileHash-SHA1 | eca96bd74fb6b22848751e254b6dc9b8e2721f96 | — | 2025-08-27 |