Deception in Depth: PRC-Nexus Espionage Campaign Hijacks Web Traffic to Target Diplomats

    Tuesday, August 26, 2025 In: Threat Research Print

    Date: 08/26/2025

    Severity: High

    Summary

    In March 2025, Intelligence Group uncovered a PRC-linked UNC6384 campaign targeting diplomats in Southeast Asia, aligning with China's cyber espionage goals. The threat actor hijacked captive portals to deliver a signed downloader, STATICPLUGIN, which deployed the PlugX backdoor in memory. The multi-stage AitM attack used advanced social engineering and compromised edge devices to stay undetected. Redirect chains from legitimate domains like “gstatic.com” were abused to deliver malware disguised as an Adobe Plugin update.

    Indicators of Compromise (IOC) List

    Domains \ URLs : 

    https://mediareleaseupdates.com/AdobePlugins.html

    https://mediareleaseupdates.com/style3.js

    https://mediareleaseupdates.com/AdobePlugins.exe

    https://mediareleaseupdates.com/20250509.bmp

    http://www.gstatic.com/generate_204

    IP Address : 

    103.79.120.72

    166.88.2.90

    Hash : 

    65c42a7ea18162a92ee982eded91653a5358a7129c7672715ce8ddb6027ec124

    3299866538aff40ca85276f87dd0cefe4eafe167bd64732d67b06af4f3349916

    e787f64af048b9cb8a153a0759555785c8fd3ee1e8efbca312a29f2acb1e4011

    cc4db3d8049043fa62326d0b3341960f9a0cf9b54c2fbbdffdbd8761d99add79

    d1626c35ff69e7e5bde5eea9f9a242713421e59197f4b6d77b914ed46976b933

    c8744b10180ed59bf96cf79d7559249e9dcf0f90

    eca96bd74fb6b22848751e254b6dc9b8e2721f96

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domains \ URLs : 

    domainname like "https://mediareleaseupdates.com/style3.js" or url like "https://mediareleaseupdates.com/style3.js" or siteurl like "https://mediareleaseupdates.com/style3.js" or domainname like "https://mediareleaseupdates.com/AdobePlugins.html" or url like "https://mediareleaseupdates.com/AdobePlugins.html" or siteurl like "https://mediareleaseupdates.com/AdobePlugins.html" or domainname like "https://mediareleaseupdates.com/AdobePlugins.exe" or url like "https://mediareleaseupdates.com/AdobePlugins.exe" or siteurl like "https://mediareleaseupdates.com/AdobePlugins.exe" or domainname like "https://mediareleaseupdates.com/20250509.bmp" or url like "https://mediareleaseupdates.com/20250509.bmp" or siteurl like "https://mediareleaseupdates.com/20250509.bmp" or domainname = "http://www.gstatic.com/generate_204" or url = "http://www.gstatic.com/generate_204" or siteurl = "http://www.gstatic.com/generate_204"

    IP Address : 

    dstipaddress IN ("103.79.120.72","166.88.2.90") or srcipaddress IN ("103.79.120.72","166.88.2.90")

    Hash 1 : 

    sha256hash IN ("65c42a7ea18162a92ee982eded91653a5358a7129c7672715ce8ddb6027ec124","e787f64af048b9cb8a153a0759555785c8fd3ee1e8efbca312a29f2acb1e4011","3299866538aff40ca85276f87dd0cefe4eafe167bd64732d67b06af4f3349916","cc4db3d8049043fa62326d0b3341960f9a0cf9b54c2fbbdffdbd8761d99add79","d1626c35ff69e7e5bde5eea9f9a242713421e59197f4b6d77b914ed46976b933")

    Hash 2 :

    sha1hash IN ("c8744b10180ed59bf96cf79d7559249e9dcf0f90","eca96bd74fb6b22848751e254b6dc9b8e2721f96")

    Reference: 

    https://cloud.google.com/blog/topics/threat-intelligence/prc-nexus-espionage-targets-diplomats


    Tags

    Threat ActorPRC-NexusUNC6384South AsiaChinaSTATICPLUGINBackdoorPlugXSOGU.SECSocial EngineeringAiTM

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.