The Google Threat Intelligence Group (GTIG) reported on Monday that a “complex, multifaceted campaign” by hackers linked to the Chinese government is targeting “diplomats in Southeast Asia and other entities globally.”
“GTIG assesses this was likely in support of cyber espionage operations aligned with the strategic interests of the People’s Republic of China (PRC),” the report said.
The cyber espionage campaign involved a “captive portal redirect,” which infected the targeted computer systems with a “digitally signed downloader.” The downloader, in turn, installed a spyware program on the victimized computer systems.
In other words, the hackers allegedly tricked their victims into accessing hijacked websites that infected them with a two-stage malware attack. The first stage was a seemingly legitimate download plugin for their browsers, which proceeded to pull a backdoor virus called SOGU.SEC into their computers. Users thought they were downloading innocuous software updates, but they were really getting a virus.
GTIG uncovered the scheme by noticing “redirect chains” leading from legitimate domains to highly suspicious websites controlled by hackers. The one missing piece of the puzzle was the initial attack that forced the targeted WiFi routers to bounce to the hackers’ website. Google’s security technicians were unable to observe this first step in the process when they began investigating the cyber espionage campaign in March 2025.
GTIC identified a “PRC-nexus threat actor” called UNC6384 as the culprit. Some of the web pages involved in the espionage scheme are known to be controlled by this group. Also, the highly sophisticated code that fooled victims’ computers into installing the malware by abusing legitimate functions of Microsoft Windows and cleverly concealing security violations has been employed in previous UNC6384 attacks.
“This campaign is a clear example of the continued evolution of UNC6384’s operational capabilities and highlights the sophistication of PRC-nexus threat actors,” GTIG concluded.
Senior Google security engineer Patrick Whitsell told Bloomberg News on Monday that “about two dozen victims” were infected by the malware, most of them diplomats working in Southeast Asia.
Whitsell did not disclose the nationalities of the targeted diplomats, but his team was highly confident that the hackers were “China-aligned” – either working “inside the government” or as “outside contractors.”
“I would assume diplomats have pretty sensitive documents on their laptops that they’re using for their day-to-day work. And yeah, once you’re on that device, you can get those documents,” he said.
The “UNC” prefix denotes a threat actor that has not been precisely identified yet. UNC6384 has certain similarities in tactics and preferred software tools to a Chinese hacker gang called “Mustang Panda,” which works under a number of aliases, including “TEMP.hex,” “Bronze President,” “Camaro Dragon,” ”and “Red Lich.”
The malware payload delivered in the second stage of the attack on diplomats in Southeast Asia was first detected by cybersecurity analysts in 2008. Increasingly sophisticated versions of this virus have long been popular with Chinese hacking groups.
Another clue to the identity of the culprits is that the downloader used in the first stage of the attack was digitally signed by a Chinese company called Chengdu Nuoxin Times Technology Co. Ltd. Digital signatures prompt computer systems to treat a software package as safe and legitimate.
At least 25 instances of malware signed by Chengdu Nuoxin have been discovered by GTIG over the past two years, most of them deployed by hackers linked to the Chinese government. GTIG investigated two previous large-scale cyber espionage campaigns that employed malware signed by the same company, with enough similarities to the diplomat attack to suggest they might have been carried out by the same threat actor, UNC6384.
“It remains an open question how the threat actors are obtaining these certificates,” GTIG noted. “The Subscriber organization may be a victim with compromised code signing material. However, they may also be a willing participant or front company facilitating cyber espionage operations.”
