| SYMBOL | COMMON_NAME | aka. SYNONYMS |
UNC6384 is a Chinese-affiliated APT that conducts targeted espionage campaigns primarily against diplomatic entities in Southeast Asia and Europe, specifically Belgium and Hungary. The group exploits the ZDI-CAN-25373 Windows shortcut vulnerability to gain initial code execution via malicious .LNK files, deploying the PlugX RAT through sophisticated delivery mechanisms, including DLL side-loading and adversary-in-the-middle attacks. Their operations involve social engineering tactics, such as spear-phishing emails themed around diplomatic events, to entice victims into executing malicious payloads. UNC6384's use of valid code signing and HTTPS hosting enhances their evasion of detection and increases the likelihood of user interaction.
There are currently no families associated with this actor.
| 2025-08-25
⋅
Google
⋅
Deception in Depth: PRC-Nexus Espionage Campaign Hijacks Web Traffic to Target Diplomats PlugX UNC6384 |