The Reveal Platform
Intel Name: Deception in depth: prc-nexus espionage campaign hijacks web traffic to target diplomats
Date of Scan: August 26, 2025
Impact: High
Summary: In March 2025, Intelligence Group uncovered a PRC-linked UNC6384 campaign targeting diplomats in Southeast Asia, aligning with China’s cyber espionage goals. The threat actor hijacked captive portals to deliver a signed downloader, STATICPLUGIN, which deployed the PlugX backdoor in memory. The multi-stage AitM attack used advanced social engineering and compromised edge devices to stay undetected. Redirect chains from legitimate domains like “gstatic.com” were abused to deliver malware disguised as an Adobe Plugin update.
