UNC6384 Hackers Leverage Valid Code Signing Certificates to Evade Detection
September 16th, 2025
High
Our Cyber Threat Intelligence Unit is monitoring a PRC-nexus campaign linked to UNC6384 that is targeting diplomats in Southeast Asia as well as global entities. The actor uses Adversary-in-the-Middle (AiTM) techniques against captive-portal checks to redirect browsers to an attacker page hosting a digitally signed “Adobe plugin” downloader (STATICPLUGIN). The chain proceeds to an MSI fetched from the same site, DLL side-loads CANONSTAGER, and deploys SOGU.SEC (PlugX) in memory. GTIG assesses that the redirects were likely facilitated via compromised edge devices; the initial access to those devices was not observed.
Technical Details
Attack Type: Targeted espionage; multi-stage loaders; DLL side-loading.
Severity: High.
Delivery: AiTM-driven captive-portal redirect during browser connectivity checks (e.g., Chrome to http://www.gstatic[.]com/generate_204), steering victims to an HTTPS landing page with a valid Let’s Encrypt cert and a digitally signed first stage.
Technique (staged chain)
STATICPLUGIN (signed downloader): Presents as an Adobe plugin updater; downloads 20250509.bmp (actually an MSI) from the same domain.
CANONSTAGER (DLL side-loader): Side-loads to execute encrypted cnmplog.dat in memory, using hidden message-loop tricks to evade naive API-based detection.
SOGU.SEC (PlugX variant): Provides system discovery, file transfer, and remote shell; observed direct HTTPS C2 to 166.88.2[.]90 in this campaign.
Affected Components
Windows endpoints (user browsers; captive-portal flow).
Edge devices (likely compromised) enabling AiTM redirects.
Impact
System Compromise: Full interactive control via SOGU.SEC backdoor (file transfer, shell).
Credential/Session Exposure (risk): AiTM + captive-portal increases the risk of session/credential interception during redirection.
Operational Deception: Valid TLS + code signing undermines user suspicion and hampers basic inspection.
Detection Method
Network Monitoring:
Watch for captive-portal check sequences (e.g., gstatic.com/generate_204) followed by unexpected 3xx chains to non-org domains, especially new Let’s Encrypt certs with update themes.
Where policy allows, use TLS/HTTP inspection to spot update-themed pages delivering executables/MSIs.
Endpoint / EDR:
Alert on MSI executions where extension ≠ content type (e.g., .bmp that’s an MSI).
Chains referencing AdobePlugins.exe (signed) → module load cnmpaui.dll → memory-resident cnmplog.dat → outbound HTTPS shortly after.
Hunt for hidden window/message-loop behavior consistent with CANONSTAGER (zero-size overlapped window; WM_SHOWWINDOW path).
Content Rules:
Apply GTIG YARA (appendix of the GTIG post) for STATICPLUGIN/CANONSTAGER/SOGU.SEC; validate locally before deployment.
Indicators of Compromise
Artifact | Type | Indicator | Description |
AdobePlugins.exe | File hash — SHA-256 | 65c42a7ea18162a92ee982eded91653a5358a7129c7672715ce8ddb6027ec124 | Signed downloader (STATICPLUGIN) |
20250509.bmp (MSI) | File hash — SHA-256 | 3299866538aff40ca85276f87dd0cefe4eafe167bd64732d67b06af4f3349916 | MSI masquerading as “.bmp” |
cnmpaui.dll | File hash — SHA-256 | e787f64af048b9cb8a153a0759555785c8fd3ee1e8efbca312a29f2acb1e4011 | DLL used for side-loading (CANONSTAGER) |
cnmplog.dat | File hash — SHA-256 | cc4db3d8049043fa62326d0b3341960f9a0cf9b54c2fbbdffdbd8761d99add79 | Encrypted payload loaded in memory |
SOGU.SEC (memory only) | File hash — SHA-256 | d1626c35ff69e7e5bde5eea9f9a242713421e59197f4b6d77b914ed46976b933 | PlugX variant executed in memory |
mediareleaseupdates[.]com TLS cert | Certificate thumbprint — SHA-1 | c8744b10180ed59bf96cf79d7559249e9dcf0f90 | Site TLS certificate |
AdobePlugins.exe signer | Certificate thumbprint — SHA-1 | eca96bd74fb6b22848751e254b6dc9b8e2721f96 | Code-signing certificate |
Landing page | URL | https[:]//mediareleaseupdates[.]com/AdobePlugins[.]html | Captive-portal themed landing page |
JS | URL | https[:]//mediareleaseupdates[.]com/style3[.]js | Page script |
STATICPLUGIN | URL | https[:]//mediareleaseupdates[.]com/AdobePlugins[.]exe | Signed first stage |
MSI | URL | https[:]//mediareleaseupdates[.]com/20250509[.]bmp | MSI download (named “.bmp”) |
Hosting IP | IP address | 103.79.120[.]72 | Site hosting |
C2 IP | IP address | 166.88.2[.]90 | HTTPS C2 observed |
Recommendations
Containment & Hardening:
Re-baseline and harden edge devices (routers, firewalls, VPNs); investigate for AiTM/tampering. Initial access to these devices is unknown—assume compromise until proven otherwise.
Enforce application allow-listing; block DLL side-loading patterns; treat “signed” as not sufficient for trust.
Where permitted, enable TLS/HTTP inspection and download reputation checks for update-themed sites.
Identity & Access:
Strengthen SSO/MFA; monitor portal-related anomalies and session irregularities consistent with AiTM flows.
Threat Hunting:
Hunt for the exact toolchain sequence and artifacts listed above; deploy GTIG YARA.
Conclusion
UNC6384 demonstrates advanced deception techniques, including captive-portal hijack (AiTM), a signed first stage, DLL side-loading, and in-memory PlugX. By using legitimate TLS and signing through indirect execution, this approach minimizes user awareness and control-plane visibility. We urge organizations to prioritize edge-device integrity, behavioral analytics, and static IOC enforcement to mitigate risks associated with this threat.