Chinese Espionage Group Exploits Fake Wi-Fi Portals to Infiltrate Diplomatic Networks

 

A recent investigation by Google’s security researchers has revealed a cyber operation linked to China that is targeting diplomats in Southeast Asia. The group behind the activity, tracked as UNC6384, has been found hijacking web traffic through deceptive Wi-Fi login pages. 

Instead of providing legitimate internet access, these portals imitated VPN sign-ins or software updates. Unsuspecting users were then tricked into downloading a file known as STATICPLUGIN. That downloader served as the delivery mechanism for SOGU.SEC, a newly modified version of the notorious PlugX malware, long associated with Chinese state-backed operations. What makes this campaign particularly dangerous is the use of a legitimate digital certificate to sign the malware. 

This allowed it to slip past traditional endpoint defenses. Once active, the backdoor enabled data theft, internal movement across networks, and persistent monitoring of sensitive systems. Google noted that the attackers relied on adversary-in-the-middle techniques to blend malicious activity with regular network traffic. 

Redirectors controlled by the group were used to reroute connections through their fake portals, ensuring victims remained unaware of the compromise. The choice of targets reflects Beijing’s broader regional ambitions. Diplomatic staff and foreign service officers often handle classified information relating to alliances, trade talks, and geopolitical strategies. 

By embedding malware within these systems, the attackers could gain visibility into negotiations and policy planning. Google has notified organizations it identified as victims and added the malicious infrastructure to its Safe Browsing alerts, aiming to block future attempts.