<ciso brief/>
Tag Banner

All news with #captive portal hijack tag

all tags →

Mon, August 25, 2025

UNC6384 Uses Captive Portal Hijacks to Deploy PlugX

#Active Exploitation #Backdoor Found #Captive Portal Hijack #Data Exfil via Tools #DLL Sideloading #PlugX #Threat Report

🔐 Google’s Threat Intelligence Group (GTIG) detected a March 2025 campaign attributed to UNC6384 that uses captive-portal hijacks to deliver a digitally signed downloader called STATICPLUGIN. The downloader (observed as AdobePlugins.exe) retrieves an MSI and, via DLL sideloading through Canon’s IJ Printer Assistant Tool, stages a PlugX variant tracked as SOGU.SEC entirely in memory. Operators used valid TLS and GlobalSign-signed certificates issued to Chengdu Nuoxin Times Technology Co., Ltd, aiding evasion while targeting diplomats and other entities.

read more →