EPISODE · Nov 2, 2025 · 5 MIN
Cyber Sleuth Ting Uncovers China's Hack Pack: UNC6384 Crashes Diplomatic Party with PlugX Surprise
from Digital Dragon Watch: Weekly China Cyber Alert · host Inception Point AI
This is your Digital Dragon Watch: Weekly China Cyber Alert podcast. Hey listeners, Ting here—your friendly neighborhood cyber sleuth with a dash of zero-day wit. Let’s jump right into the digital dragon’s den, because the past week in China cyber has been anything but dull. First up, the hot news is UNC6384, a China-linked hacking crew that’s been busy targeting European diplomatic missions. According to the team at Arctic Wolf and coverage in The Hacker News and Daily News Hungary, these cyber ninjas exploited a fresh Windows shortcut vulnerability—CVE-2025-9491—using slick spear-phishing emails themed around European Commission meetings and NATO workshops. The bad emails lured Hungarian, Belgian, Italian, Dutch, and Serbian officials into clicking links that unleashed PlugX malware—a remote access trojan that’s been the gift nobody wants at diplomatic parties since the early 2010s. PlugX, also known as Destroy RAT, SOGU, or Korplug, opens the digital door for pesky intruders to log keystrokes, swipe files, and monitor sensitive government chatter. The attack chain is a thing of crafty beauty: spear-phishing emails lead to malicious LNK files, which in turn run PowerShell to unpack an archive disguised as a Canon printer utility, but containing the CanonStager malware and a PlugX payload. CanonStager’s been on a diet—shrinking from 700 KB to 4 KB in a month, making it almost as sneaky as my last Wi-Fi password. Memory-resident “SOGU.SEC” variants mean even forensic teams need a stiff coffee before they start searching volatile RAM for clues. And if HTML applications with JavaScript don’t fool victims, well, UNC6384’s got decoy websites in the arsenal. Mustang Panda, another notorious China-backed crew, is sharing tactics and infrastructure, as if we needed even more cyber commotion. Why, you ask? The goal’s classic espionage—intel on EU defense, coordination, and the strength of alliances. This is all about outsmarting rivals diplomatically, not causing outages. But just in case you’re wondering, airports from London Heathrow to Brussels did report disruptions from external providers last September, and several government web portals took a hit too. Clearly, you don’t need to be wearing a diplomat’s pin to be on China’s radar. Stateside, things got spicy for TP-Link: The Washington Post reports US agencies—including Commerce and Homeland Security—are floating a complete ban on TP-Link routers over concerns that the company’s US arm is still susceptible to Beijing’s bidding. TP-Link holds up to 65% of the home router market, so that’s not just a minor move; it’s more like pulling the plug out of the middle of America’s living room. The feds haven’t made it official yet, but if you’re a TP-Link user, security audits, firmware updates, and changing default passwords aren’t just good hygiene—they’re your personal firewall until further notice. And let’s not forget Ribbon Communications, which suffered a near year-long supply chain attack by a This content was created in partnership and with the help of Artificial Intelligence AI.
What this episode covers
This is your Digital Dragon Watch: Weekly China Cyber Alert podcast. Hey listeners, Ting here—your friendly neighborhood cyber sleuth with a dash of zero-day wit. Let’s jump right into the digital dragon’s den, because the past week in China cyber has been anything but dull. First up, the hot news is UNC6384, a China-linked hacking crew that’s been busy targeting European diplomatic missions. According to the team at Arctic Wolf and coverage in The Hacker News and Daily News Hungary, these cyber ninjas exploited a fresh Windows shortcut vulnerability—CVE-2025-9491—using slick spear-phishing emails themed around European Commission meetings and NATO workshops. The bad emails lured Hungarian, Belgian, Italian, Dutch, and Serbian officials into clicking links that unleashed PlugX malware—a remote access trojan that’s been the gift nobody wants at diplomatic parties since the early 2010s. PlugX, also known as Destroy RAT, SOGU, or Korplug, opens the digital door for pesky intruders to log keystrokes, swipe files, and monitor sensitive government chatter. The attack chain is a thing of crafty beauty: spear-phishing emails lead to malicious LNK files, which in turn run PowerShell to unpack an archive disguised as a Canon printer utility, but containing the CanonStager malware and a PlugX payload. CanonStager’s been on a diet—shrinking from 700 KB to 4 KB in a month, making it almost as sneaky as my last Wi-Fi password. Memory-resident “SOGU.SEC” variants mean even forensic teams need a stiff coffee before they start searching volatile RAM for clues. And if HTML applications with JavaScript don’t fool victims, well, UNC6384’s got decoy websites in the arsenal. Mustang Panda, another notorious China-backed crew, is sharing tactics and infrastructure, as if we needed even more cyber commotion. Why, you ask? The goal’s classic espionage—intel on EU defense, coordination, and the strength of alliances. This is all about outsmarting rivals diplomatically, not causing outages. But just in case you’re wondering, airports from London Heathrow to Brussels did report disruptions from external providers last September, and several government web portals took a hit too. Clearly, you don’t need to be wearing a diplomat’s pin to be on China’s radar. Stateside, things got spicy for TP-Link: The Washington Post reports US agencies—including Commerce and Homeland Security—are floating a complete ban on TP-Link routers over concerns that the company’s US arm is still susceptible to Beijing’s bidding. TP-Link holds up to 65% of the home router market, so that’s not just a minor move; it’s more like pulling the plug out of the middle of America’s living room. The feds haven’t made it official yet, but if you’re a TP-Link user, security audits, firmware updates, and changing default passwords aren’t just good hygiene—they’re your personal firewall until further notice. And let’s not forget Ribbon Communications, which suffered a near year-long supply chain attack by a This content was created in partnership and with the help of Artificial Intelligence AI.
NOW PLAYING
Cyber Sleuth Ting Uncovers China's Hack Pack: UNC6384 Crashes Diplomatic Party with PlugX Surprise
No transcript for this episode yet
Similar Episodes
No similar episodes found.
Similar Podcasts
No similar podcasts found.