Cyber Sleuth Ting Uncovers China's Hack Pack: UNC6384 Crashes Diplomatic Party with PlugX Surprise episode artwork

EPISODE · Nov 2, 2025 · 5 MIN

Cyber Sleuth Ting Uncovers China's Hack Pack: UNC6384 Crashes Diplomatic Party with PlugX Surprise

from Digital Dragon Watch: Weekly China Cyber Alert · host Inception Point AI

This is your Digital Dragon Watch: Weekly China Cyber Alert podcast. Hey listeners, Ting here—your friendly neighborhood cyber sleuth with a dash of zero-day wit. Let’s jump right into the digital dragon’s den, because the past week in China cyber has been anything but dull. First up, the hot news is UNC6384, a China-linked hacking crew that’s been busy targeting European diplomatic missions. According to the team at Arctic Wolf and coverage in The Hacker News and Daily News Hungary, these cyber ninjas exploited a fresh Windows shortcut vulnerability—CVE-2025-9491—using slick spear-phishing emails themed around European Commission meetings and NATO workshops. The bad emails lured Hungarian, Belgian, Italian, Dutch, and Serbian officials into clicking links that unleashed PlugX malware—a remote access trojan that’s been the gift nobody wants at diplomatic parties since the early 2010s. PlugX, also known as Destroy RAT, SOGU, or Korplug, opens the digital door for pesky intruders to log keystrokes, swipe files, and monitor sensitive government chatter. The attack chain is a thing of crafty beauty: spear-phishing emails lead to malicious LNK files, which in turn run PowerShell to unpack an archive disguised as a Canon printer utility, but containing the CanonStager malware and a PlugX payload. CanonStager’s been on a diet—shrinking from 700 KB to 4 KB in a month, making it almost as sneaky as my last Wi-Fi password. Memory-resident “SOGU.SEC” variants mean even forensic teams need a stiff coffee before they start searching volatile RAM for clues. And if HTML applications with JavaScript don’t fool victims, well, UNC6384’s got decoy websites in the arsenal. Mustang Panda, another notorious China-backed crew, is sharing tactics and infrastructure, as if we needed even more cyber commotion. Why, you ask? The goal’s classic espionage—intel on EU defense, coordination, and the strength of alliances. This is all about outsmarting rivals diplomatically, not causing outages. But just in case you’re wondering, airports from London Heathrow to Brussels did report disruptions from external providers last September, and several government web portals took a hit too. Clearly, you don’t need to be wearing a diplomat’s pin to be on China’s radar. Stateside, things got spicy for TP-Link: The Washington Post reports US agencies—including Commerce and Homeland Security—are floating a complete ban on TP-Link routers over concerns that the company’s US arm is still susceptible to Beijing’s bidding. TP-Link holds up to 65% of the home router market, so that’s not just a minor move; it’s more like pulling the plug out of the middle of America’s living room. The feds haven’t made it official yet, but if you’re a TP-Link user, security audits, firmware updates, and changing default passwords aren’t just good hygiene—they’re your personal firewall until further notice. And let’s not forget Ribbon Communications, which suffered a near year-long supply chain attack by a This content was created in partnership and with the help of Artificial Intelligence AI.

This is your Digital Dragon Watch: Weekly China Cyber Alert podcast. Hey listeners, Ting here—your friendly neighborhood cyber sleuth with a dash of zero-day wit. Let’s jump right into the digital dragon’s den, because the past week in China cyber has been anything but dull. First up, the hot news is UNC6384, a China-linked hacking crew that’s been busy targeting European diplomatic missions. According to the team at Arctic Wolf and coverage in The Hacker News and Daily News Hungary, these cyber ninjas exploited a fresh Windows shortcut vulnerability—CVE-2025-9491—using slick spear-phishing emails themed around European Commission meetings and NATO workshops. The bad emails lured Hungarian, Belgian, Italian, Dutch, and Serbian officials into clicking links that unleashed PlugX malware—a remote access trojan that’s been the gift nobody wants at diplomatic parties since the early 2010s. PlugX, also known as Destroy RAT, SOGU, or Korplug, opens the digital door for pesky intruders to log keystrokes, swipe files, and monitor sensitive government chatter. The attack chain is a thing of crafty beauty: spear-phishing emails lead to malicious LNK files, which in turn run PowerShell to unpack an archive disguised as a Canon printer utility, but containing the CanonStager malware and a PlugX payload. CanonStager’s been on a diet—shrinking from 700 KB to 4 KB in a month, making it almost as sneaky as my last Wi-Fi password. Memory-resident “SOGU.SEC” variants mean even forensic teams need a stiff coffee before they start searching volatile RAM for clues. And if HTML applications with JavaScript don’t fool victims, well, UNC6384’s got decoy websites in the arsenal. Mustang Panda, another notorious China-backed crew, is sharing tactics and infrastructure, as if we needed even more cyber commotion. Why, you ask? The goal’s classic espionage—intel on EU defense, coordination, and the strength of alliances. This is all about outsmarting rivals diplomatically, not causing outages. But just in case you’re wondering, airports from London Heathrow to Brussels did report disruptions from external providers last September, and several government web portals took a hit too. Clearly, you don’t need to be wearing a diplomat’s pin to be on China’s radar. Stateside, things got spicy for TP-Link: The Washington Post reports US agencies—including Commerce and Homeland Security—are floating a complete ban on TP-Link routers over concerns that the company’s US arm is still susceptible to Beijing’s bidding. TP-Link holds up to 65% of the home router market, so that’s not just a minor move; it’s more like pulling the plug out of the middle of America’s living room. The feds haven’t made it official yet, but if you’re a TP-Link user, security audits, firmware updates, and changing default passwords aren’t just good hygiene—they’re your personal firewall until further notice. And let’s not forget Ribbon Communications, which suffered a near year-long supply chain attack by a This content was created in partnership and with the help of Artificial Intelligence AI.

NOW PLAYING

Cyber Sleuth Ting Uncovers China's Hack Pack: UNC6384 Crashes Diplomatic Party with PlugX Surprise

0:00 5:04

No transcript for this episode yet

We transcribe on demand. Request one and we'll notify you when it's ready — usually under 10 minutes.

No similar episodes found.

No similar podcasts found.

Frequently Asked Questions

How long is this episode of Digital Dragon Watch: Weekly China Cyber Alert?

This episode is 5 minutes long.

When was this Digital Dragon Watch: Weekly China Cyber Alert episode published?

This episode was published on November 2, 2025.

What is this episode about?

This is your Digital Dragon Watch: Weekly China Cyber Alert podcast. Hey listeners, Ting here—your friendly neighborhood cyber sleuth with a dash of zero-day wit. Let’s jump right into the digital dragon’s den, because the past week in China cyber...

Can I download this Digital Dragon Watch: Weekly China Cyber Alert episode?

Yes, you can download this episode by clicking the download button on the episode player, or subscribe to the podcast in your preferred podcast app for automatic downloads.
URL copied to clipboard!