Google Unmasks China-Linked Cyber Espionage Targeting Southeast Asian Diplomats

Google’s Threat Analysis Group (TAG) has revealed a sophisticated cyber espionage campaign allegedly tied to China, targeting diplomats across Southeast Asia. The hacking group, identified as UNC6384, is accused of supporting state political interests and has a track record of complex cyber intrusions.

According to Bloomberg, nearly two dozen diplomats have been compromised through deceptive social engineering schemes.

Victims were tricked into downloading what appeared to be legitimate software updates. In reality, the downloads carried hidden malware, enabling hackers to infiltrate sensitive systems remotely.

The attackers deployed an adversary-in-the-middle technique, intercepting browser connections over public Wi-Fi networks. Targets were redirected to install a counterfeit setup called STATICPLUGIN, which even carried a valid digital certificate to bypass suspicion. Once installed, it secretly loaded SOGU.SEC, a memory-resident tool designed to remain hidden while granting full remote control of the system. From there, attackers could exfiltrate files, issue commands, and sustain covert surveillance.

Google has moved to disrupt the campaign by revoking compromised certificates, blocking malicious domains, and alerting affected users. While Beijing has repeatedly denied involvement in such operations, experts highlight that diplomats remain high-value targets due to their roles in negotiations and intelligence exchanges.

This incident follows warnings from Singapore about another China-linked hacking group, UNC3886, aiming at critical infrastructure. Together, these revelations underscore the escalating cyber risk in Southeast Asia and the urgent need for regional governments to strengthen defenses and collaborate with major tech companies in countering digital threats.