CANONSTAGER

CANONSTAGER is a Windows malware loader/launcher used to deploy the PlugX backdoor, including the memory-resident variant tracked by Google as SOGU.SEC. It is delivered in campaigns attributed to the Chinese-affiliated threat actor UNC6384, which reporting links to TEMP.Hex / Mustang Panda / Silk Typhoon. Observed infection chains include spearphishing campaigns against European diplomatic and government entities in September-October 2025 that used malicious LNK files exploiting ZDI-CAN-25373 / CVE-2025-9491, as well as a separate adversary-in-the-middle captive-portal hijacking campaign targeting diplomats in Southeast Asia and other entities globally via a fake Adobe plugin update. In the LNK-based chain, obfuscated PowerShell extracts an archive containing a legitimate Canon printer assistant utility (cnmpaui.exe), a malicious sideloaded DLL (cnmpaui.dll, referred to as CANONSTAGER), and an encrypted payload file (cnmplog.dat). In the captive-portal chain, a signed downloader retrieves an MSI package that installs CANONSTAGER. CANONSTAGER abuses DLL side-loading through legitimate Canon software, decrypts the encrypted PlugX/SOGU.SEC payload, and loads/executes it entirely in memory, reducing disk artifacts. Reported behaviors include custom API hashing to obfuscate Windows API usage, use of Thread Local Storage to store function addresses, indirect execution via Windows message queues and hidden window procedures, and creation of a hidden zero-sized window. Arctic Wolf reported the loader evolved rapidly, shrinking from roughly 700 KB to roughly 4 KB between September and October 2025. Associated persistence observed in the PlugX deployment includes a Run key value named "CanonPrinter" under Software\Microsoft\Windows\CurrentVersion\Run pointing to cnmpaui.exe in a hidden user-profile directory. Related files and indicators directly mentioned include cnmpaui.exe, cnmpaui.dll, cnmplog.dat, SHA-256 e53bc08e60af1a1672a18b242f714486ead62164dda66f32c64ddc11ffe3f0df for a 4 KB malicious DLL sample, SHA-256 c9128d72de407eede1dd741772b5edfd437e006a161eecfffdf27b2483b33fc7 for cnmplog.dat, RC4 key eQkiwoiuDsvIPsmd, and C2 domains including racineupci[.]org, dorareco[.]net, naturadeco[.]net, cseconline[.]org, vnptgroup[.]it[.]com, and paquimetro[.]net.