UNC6384 Weaponizes ZDI-CAN-25373 Vulnerability to Deploy PlugX Against Hungarian and Belgian Diplomatic Entities
#UNC6384 #ZDI_CAN_25373 #CanonStager
https://arcticwolf.com/resources/blog/unc6384-weaponizes-zdi-can-25373-vulnerability-to-deploy-plugx/

#China-linked #UNC6384 exploits #Windows zero-day to spy on European diplomats
https://securityaffairs.com/184083/apt/china-linked-unc6384-exploits-windows-zero-day-to-spy-on-european-diplomats.html
#securityaffairs #hacking #APT

China-linked UNC6384 group targets European diplomats via spear-phishing & PlugX malware.
Attack exploited Windows flaw ZDI-CAN-25373.
Full story 👉 https://www.technadu.com/china-linked-hacking-group-targets-european-diplomatic-entities-in-espionage-campaign/612350/

#CyberSecurity #APT #PlugX #UNC6384 #CyberEspionage

Google’s report on #UNC6384 lists this certificate as being used in C2 comms by Sogu (#PlugX variant):
eca96bd74fb6b22848751e254b6dc9b8e2721f96

Here’s an @anyrun_app execution, of AdobePlugins.​exe on May 19, which runs CANONSTAGER as well as SOGU.​SEC:
https://app.any.run/tasks/ce2745eb-edac-4e62-b5a9-5d9515b88bc4

It connects to the C2 server on 166.88.2[.]90, which actually provides a different certificate.
🔥 50f990235d7492431f57953cec14a478fb662c8d
🔥 SAN: *.crossfitolathe.​com