A stealthy espionage campaign emerged in early 2025 targeting diplomats and government entities in Southeast Asia and beyond.<\/p>\n
At the heart of this operation lies STATICPLUGIN, a downloader meticulously disguised as a legitimate Adobe plugin update.<\/p>\n
Victims encountered a captive portal hijack that redirected browsers to malicious domains, where an HTTPS-secured landing page prompted users to \u201cInstall Missing Plugins\u2026\u201d\u2014a ruse to lower suspicion and bypass browser warnings.<\/p>\n
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgLUyxeeHqwBYKdjncpKReM6OZoWahmRHe8jG6oU2GPcJKGU9TNbqQBzqEfUGvqo6rCxycMRFmLDORrbincuCyHaMxh0F44sxNWNkpHV0lOyVwLfOGebpc0jokhVdb4eFKeNKRGrUrVsV6emczUwRFYqm8fpVCLN89e0K0MO87EV3V5G9Bn-H7q9KXxadw\/s16000\/Malware%2520landing%2520page%2520%28Source%2520-Google%2520Cloud%29.webp?ssl=1\")
Once executed, the binary deployed a multi-stage chain<\/a> culminating in the in-memory launch of the SOGU.SEC backdoor.<\/p>\n Following the initial compromise, STATICPLUGIN retrieves an MSI package masquerading as a BMP image. Inside this package resides CANONSTAGER, which is DLL side-loaded to execute the encrypted payload cnmplog.dat.<\/p>\n This side-loading technique exploits trusted Windows components to evade host-based defenses. Google Cloud analysts identified this novel combination of captive portal hijacking and valid code signing as a sophisticated evolution in PRC-nexus tradecraft.<\/p>\n Evidence indicates that Chengdu Nuoxin Times Technology Co., Ltd. issued the signing certificates used for STATICPLUGIN, lending the downloader false legitimacy.<\/p>\n These certificates, issued by GlobalSign and Let\u2019s Encrypt, allowed the malware to bypass many endpoint security solutions<\/a> that trust digitally signed binaries.<\/p>\n Google Cloud researchers noted<\/a> that although the original certificate expired on July 14, 2025, UNC6384 likely re-signs subsequent build iterations to maintain uninterrupted stealth.<\/p>\n Detailed analysis of CANONSTAGER reveals unconventional evasion tactics. The launcher resolves Windows API addresses using a custom hashing algorithm and stores them in Thread Local Storage (TLS), an atypical location that may go unnoticed by monitoring tools.<\/p>\n By invoking these functions indirectly through a hidden window procedure and dispatching a WM_SHOWWINDOW message, CANONSTAGER conceals its true control flow within legitimate Windows message queues.<\/p>\n One of UNC6384\u2019s most remarkable innovations lies in its end-to-end in-memory execution. After establishing the hidden window and resolving APIs, CANONSTAGER creates a new thread to decrypt cnmplog.dat using a hardcoded 16-byte RC4 key.<\/p>\n Rather than writing the decrypted SOGU.SEC payload<\/a> to disk, the launcher invokes EnumSystemGeoID as a callback function to execute the backdoor directly in memory.<\/p>\n This technique denies defenders valuable forensic artifacts, as no malicious binary resides on disk.<\/p>\n Moreover, communications with the C2 server at 166.88.2.90 occur over HTTPS, blending with normal web traffic and further complicating network-based detection.<\/p>\n The initial JavaScript triggers the download of AdobePlugins.exe, setting the stage for in-memory execution. By avoiding disk writes and leveraging valid certificates, UNC6384 has raised the bar for malware stealth.<\/p>\n As Google Cloud analysts continue to monitor<\/a> this campaign, defenders are urged to inspect memory artifacts, enforce strict code-signing policies, and enable Enhanced Safe Browsing to detect anomalous TLS certificates and captive portal hijacks.<\/p>\n The post Chinese UNC6384 Hackers Leverages Valid Code Signing Certificates to Evade Detection<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjgzVcbnzjxc6f-Y_BsBI4g77Ejb2JsER6VtS7ciBKeKxj2CDOnIXEjBalxSPkg9peoImamjyDOcFB-eY23oDZqimlxz8_Z32CNQyAOZxJkIucL4GT_AOZz9HF2m1ZFQApWF8gso7Sd1n0xBN3huE7zu3AFOMRFNSha_0Ye-jrFuesegr5BmhsA1AaQfDc\/s16000\/Downloader%2520with%2520valid%2520digital%2520signature%2520%28Source%2520-Google%2520Cloud%29.webp?ssl=1\")
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiIf29_t5UGf0Uvcw0ChGEty6aSlP4vbL97yK48qHw7DpFLXmEqzDNIyxpCkZ2H0TcIcGtpbJRVlS7cnPXtOgggAMo2uwb2_9rTzOWwMzYr0aId5TCBkCUNVcnLgXza8Peir5obDZmXZ3i9OoiYyq_Twx2XQ5eNkMrIFxZ_WV0FtqzPBRCkm9VZeDptR_c\/s16000\/Example%2520of%2520storing%2520function%2520addresses%2520in%2520TLS%2520array%2520%28Source%2520-Google%2520Cloud%29.webp?ssl=1\")
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEglMPlhveYTxIk7V4NVKphuo4G5SiuKRPmSoTJ9usb1nATwBGUF5g89vHRNrzywRN9hGSyT8dQuqhJp-JXJRak_qCmOA5uMknaLHwdlU4nW3Xq1qAQkbt8yiI8B6S_II7xG71-b0MxASbfkVYqCnakpLtbEIpu4oJdAECJpavEO9qyHOQ_OTaccXkW9jWE\/s16000\/Overview%2520of%2520CANONSTAGER%2520execution%2520using%2520Windows%2520message%2520queue%2520%28Source%2520-Google%2520Cloud%29.webp?ssl=1\")
Detection Evasion through In-Memory Execution<\/strong><\/h2>\n
Boost\u00a0your\u00a0SOC and help your team protect your business with free top-notch threat intelligence:\u00a0Request TI Lookup Premium Trial<\/a>.<\/code><\/strong><\/p>\n