STATICPLUGIN

STATICPLUGIN is a digitally signed Windows downloader used in a multi-stage espionage infection chain attributed to UNC6384, which Google Threat Intelligence Group linked to the Chinese threat actor TEMP.Hex, also known as Mustang Panda and Silk Typhoon. In reported March 2025 activity targeting diplomats in Southeast Asia and globally, attackers used an adversary-in-the-middle technique involving captive portal hijacking and abuse of Chrome connectivity checks to redirect victims to a fake Adobe plugin update site. Victims were prompted to execute a signed file such as AdobePlugins.exe, meaning the malware required user execution. STATICPLUGIN used the Windows COM Installer Object to download an MSI package; the MSI was disguised as a BMP file to hide its true MSI extension. The downloaded package contained components including a legitimate Canon printer tool and CANONSTAGER, which used DLL side-loading to decrypt and execute the final SOGU.SEC backdoor, a PlugX variant, entirely in memory. Reporting states STATICPLUGIN was signed with a valid Certificate Authority-issued certificate to help circumvent endpoint defenses, and campaign samples were signed by Chengdu Nuoxin Times Technology Co., Ltd., though it was unclear whether that entity was complicit or compromised. The broader infection chain ultimately deployed PlugX/SOGU.SEC, which was described as capable of collecting system information, uploading and downloading files, and providing a remote command shell. Detection references in the content include published YARA rules for STATICPLUGIN and CANONSTAGER.