Global Mustang Panda-linked cyberespionage campaign examined

Organizations around the world and diplomats in Southeast Asia have been subjected to a multi-stage cyberespionage campaign by the UNC6384 threat group, which is associated with the Chinese advanced persistent threat operation Mustang Panda, since March, The Hacker News reports.

UNC6384 has utilized a web traffic-hijacking captive portal to facilitate an adversary-in-the-middle attack luring targets into downloading a bogus Adobe plugin update dubbed "STATICPLUGIN", which retrieves an MSI package while side-loading CANONSTAGER to launch the SOGU.SEC malware, according to an analysis from the Google Threat Intelligence Group. Additional findings showed STATICPLUGIN's usage of a valid GlobalSign certificate signed by Chengdu Nuoxin Times Technology Co., Ltd. However, additional details regarding the certificate's acquisition by attackers remain unclear. "This campaign is a clear example of the continued evolution of UNC6384's operational capabilities and highlights the sophistication of PRC-nexus threat actors," said GTIG researcher Patrick Whitsell.