Google’s Threat Intelligence Group (GTIG) revealed Monday that hackers tied to the Chinese government launched a complex cyber espionage operation targeting diplomats across Southeast Asia. The attack exploited a two-stage malware scheme to infiltrate devices used by government officials and other high-value targets globally.
According to the report, the campaign is “likely in support of cyber espionage operations aligned with the strategic interests of the People’s Republic of China (PRC).” The threat actor behind the campaign, identified as UNC6384, is suspected to be working either within the Chinese government or as an outside contractor.
The attack began with a “captive portal redirect,” tricking victims into visiting compromised websites. The initial stage installed a seemingly legitimate software update—digitally signed by Chinese tech firm Chengdu Nuoxin Times Technology Co.—which allowed a second-stage backdoor virus, dubbed SOGU.SEC, to infect the devices.
GTIG’s investigation found redirect chains from trusted websites leading to malicious pages controlled by UNC6384. The team was unable to observe how the attackers first hijacked WiFi connections to initiate the redirects, but the malware itself used advanced techniques to disguise its activity and exploit legitimate Microsoft Windows processes.
Patrick Whitsell, a senior Google security engineer, confirmed that about two dozen victims, mostly diplomats in Southeast Asia, were compromised. While he did not identify specific countries, he stated, “Once you’re on that device, you can get those documents,” underscoring the threat to sensitive diplomatic information.
UNC6384’s tools and tactics closely resemble those of known Chinese state-affiliated hacker groups like Mustang Panda, also known by aliases such as TEMP.hex and Bronze President. Analysts have tracked UNC6384’s evolution over the past two years, linking it to at least 25 malware campaigns that used software signed by Chengdu Nuoxin.
Google is still investigating how UNC6384 obtained access to valid code-signing certificates. It remains unclear whether Chengdu Nuoxin’s involvement is the result of a security breach or a more deliberate collaboration with state-sponsored hackers.
“This campaign is a clear example of the continued evolution of UNC6384’s operational capabilities,” GTIG concluded, calling attention to the increasing sophistication of China-aligned cyber threats targeting global institutions.
