CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

UNC6384 Targets Diplomats with PlugX via Captive Portal Hijacks

First reported
Last updated
3 unique sources, 5 articles

Summary

Hide ▲

UNC6384, a China-nexus threat actor assessed to share tactical overlaps with Mustang Panda, continues targeted espionage campaigns leveraging advanced social engineering and indirect execution techniques. Recent reporting confirms Mustang Panda’s use of the FDMTP backdoor (version 3.2.5.1) in a months-long campaign against networks in the Asia-Pacific and Japan, involving CDN impersonation, DLL sideloading, and in-memory .NET execution. The group employs modular plugins for persistence, scheduled tasks, and remote file retrieval, with communication over a custom TCP protocol using DMTP. The campaign targeting U.S. government and policy entities via Venezuela-themed spear phishing to deliver the LOTUSLITE backdoor remains under investigation, with moderate-confidence attribution to Mustang Panda. Earlier phases described UNC6384’s captive portal hijacks to deploy PlugX variants (SOGU.SEC) and linked tooling overlaps with Mustang Panda’s Bookworm malware, highlighting the sophistication of PRC-nexus operators in evading detection.

Timeline

  1. 16.01.2026 12:27 1 articles · 3mo ago

    Mustang Panda Targets U.S. Entities with LOTUSLITE Backdoor

    A new campaign targets U.S. government and policy entities using Venezuela-themed spear phishing to deliver the LOTUSLITE backdoor. The LOTUSLITE backdoor is a bespoke C++ implant that communicates with a hard-coded command-and-control (C2) server using Windows WinHTTP APIs. The backdoor supports commands for remote CMD shell, file enumeration, file creation, data exfiltration, and beacon status checks, and establishes persistence by making Windows Registry modifications.

    Show sources
    Open in new tab
  2. 27.09.2025 15:06 3 articles · 7mo ago

    PlugX Variant Linked to Mustang Panda and Bookworm Malware

    Darktrace analysis links Mustang Panda to an updated FDMTP backdoor (version 3.2.5.1) used in a months-long espionage campaign targeting Asia-Pacific and Japan networks from September 2025 to April 2026. The campaign employed CDN impersonation, DLL sideloading via legitimate binaries (e.g., Sogou Pinyin’s biz_render.exe), and in-memory .NET execution to load the backdoor. The FDMTP framework includes modular plugins for persistence (scheduled tasks and registry entries), remote file retrieval, and process manipulation, with communication over a custom TCP protocol using DMTP and a persistent update channel polling icloud-cdn[.]net every five minutes.

    Show sources
    Open in new tab
  3. 25.08.2025 21:11 4 articles · 8mo ago

    UNC6384 Deploys PlugX via Captive Portal Hijacks Targeting Diplomats

    The campaign targeted around two dozen victims, primarily Southeast Asian diplomats, between March and July 2025. The attack chain involved compromised edge devices intercepting captive portal checks and redirecting users to a malicious website. The malicious website used a valid TLS/SSL certificate issued by Let's Encrypt to avoid browser security warnings. The first-stage malware, STATICPLUGIN, dropped a launcher called CANONSTAGER, which used unconventional techniques to hide its activities. The final payload was a variant of the PlugX backdoor, tracked by Google as SOGU.SEC. The new PlugX variant overlaps with RainyDay and Turian backdoors, targeting telecommunications and manufacturing sectors in Central and South Asia. The campaign is linked to Mustang Panda, which also uses Bookworm malware.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

BPFDoor Linux kernel implants leveraged by Red Menshen for stealthy telecom espionage

A China-nexus threat group, tracked as Red Menshen (aka Earth Bluecrow, DecisiveArchitect, Red Dev 18), has conducted a multi-year espionage campaign targeting telecom providers in the Middle East and Asia by deploying stealthy Linux kernel-level implants. The adversary abuses Berkeley Packet Filter (BPF) functionality to embed passive backdoors (BPFDoor) that activate via crafted network packets, avoiding detectable listeners or C2 channels. Initial access is obtained via internet-facing edge services (e.g., VPNs, firewalls) from vendors including Ivanti, Cisco, Juniper, Fortinet, VMware, Palo Alto, and Apache Struts. Post-exploitation includes deployment of frameworks like CrossC2 and Sliver, alongside credential harvesting tools, enabling lateral movement. BPFDoor’s functionality extends to telecom-native protocols (e.g., SCTP), potentially granting visibility into subscriber behavior, location tracking, and surveillance of high-value targets. A newly documented variant enhances evasion by concealing trigger packets within legitimate HTTPS traffic at fixed byte offsets and introducing ICMP-based lightweight communication between infected hosts.

Open in new tab

China-Linked DKnife AitM Framework Targets Routers for Traffic Hijacking and Malware Delivery

Cybersecurity researchers have uncovered a China-linked adversary-in-the-middle (AitM) framework called DKnife, active since at least 2019. The framework targets routers and edge devices to perform deep packet inspection, manipulate traffic, and deliver malware. It primarily targets Chinese-speaking users by harvesting credentials and delivering malware via popular Chinese services and applications. DKnife comprises seven Linux-based implants that enable a wide range of malicious activities, including DNS hijacking, binary download hijacking, and real-time user activity monitoring. The framework is linked to the Earth Minotaur threat activity cluster and shares infrastructural connections with WizardNet, a Windows implant deployed by TheWizards APT group. DKnife's infrastructure overlaps with a campaign delivering WizardNet, suggesting a shared development or operational lineage. The framework uses a component called yitiji.bin to create a bridged TAP interface on the router at the private IP address 10.3.3.3, allowing the threat actor to intercept and rewrite network packets in transit to the intended host. Additionally, DKnife monitors WeChat activities more analytically, tracking voice and video calls, text messages, images sent and received, and articles read on the platform.

Open in new tab

Asian State-Backed Group TGR-STA-1030 Targets 70 Government and Infrastructure Entities

A previously undocumented cyber espionage group, TGR-STA-1030, has compromised at least 70 government and critical infrastructure organizations across 37 countries over the past year. The group, assessed to be of Asian origin, leverages phishing emails and exploits N-day vulnerabilities to deploy malware and maintain long-term access for espionage purposes. Targets include national law enforcement, ministries of finance, and departments related to economic, trade, natural resources, and diplomatic functions. The group uses a variety of tools, including Cobalt Strike, Behinder, Godzilla, and a Linux kernel rootkit named ShadowGuard. The group conducted reconnaissance activity targeting government entities connected to 155 countries between November and December 2025 and showed increased interest in scanning entities across North, Central, and South America during the U.S. government shutdown in October 2025. The group also exploited at least 15 known vulnerabilities in SAP Solution Manager, Microsoft Exchange Server, D-Link, and Microsoft Windows.

Open in new tab

China-Linked APTs Deploy PeckBirdy JScript C2 Framework Since 2023

China-aligned APT actors have been using the PeckBirdy JScript-based command-and-control (C2) framework since 2023 to target Chinese gambling industries, Asian government entities, and private organizations. The framework leverages living-off-the-land binaries (LOLBins) for execution across various environments. Two campaigns, SHADOW-VOID-044 and SHADOW-EARTH-045, have been identified, each employing different tactics, including credential harvesting and malware delivery. The framework's flexibility allows it to operate across web browsers, MSHTA, WScript, Classic ASP, Node JS, and .NET, using multiple communication methods like WebSocket and Adobe Flash ActiveX objects. Additional scripts for exploitation, social engineering, and backdoor delivery have been observed, along with links to known backdoors like HOLODONUT and MKDOOR. HOLODONUT disables security features such as AMSI before executing payloads in memory, while MKDOOR disguises its network traffic as legitimate Microsoft support or activation pages and attempts to evade Microsoft Defender by altering exclusion settings. Infrastructure overlaps and shared tooling suggest SHADOW-VOID-044 is linked with UNC3569, a China-aligned group previously associated with the GRAYRABBIT backdoor. Some samples used stolen code-signing certificates to legitimize malicious Cobalt Strike payloads, and SHADOW-EARTH-045 showed weaker but notable ties to activity previously attributed to Earth Baxia. The Shadow-Void-044 campaign used stolen code-signing certificates, Cobalt Strike payloads, and exploits, including CVE-2020-16040, to maintain persistent access. The Shadow-Earth-045 campaign targeted a Philippine educational institution in July 2024, using the GrayRabbit backdoor and the HoloDonut backdoor. The threat actor behind the Shadow-Earth campaign developed a .NET executable to launch PeckBirdy with ScriptControl.

Open in new tab

PluggyApe Backdoor Targets Ukraine's Defense Forces in Charity-Themed Campaign

Ukraine's Defense Forces were targeted in a charity-themed malware campaign between October and December 2025, delivering the PluggyApe backdoor, likely deployed by the Russian threat group Void Blizzard (Laundry Bear). The attacks began with instant messages over Signal or WhatsApp, directing recipients to malicious websites posing as charitable foundations. These sites distributed password-protected archives containing PluggyApe payloads. The malware profiles the host, sends victim information to attackers, and waits for further commands. In February 2026, a new campaign targeting Ukrainian entities was observed, employing judicial and charity-themed lures to deploy a JavaScript-based backdoor codenamed DRILLAPP. This campaign is likely orchestrated by threat actors linked to Russia and shares overlaps with the prior PluggyApe campaign. The malware is capable of uploading and downloading files, leveraging the microphone, and capturing images through the webcam. The threat actor is believed to be active since at least April 2024.

Open in new tab