Deception in Depth: PRC-Nexus Espionage Campaign Hijacks Web Traffic to Target Diplomats

GTIG attributes a sophisticated cyber-espionage campaign to UNC6384 (linked to PRC-nexus TEMP.Hex) that deploys the heavily obfuscated SOGU.SEC backdoor; the malware operates in-memory, supports system profiling, file upload/download, and remote shells, and was observed communicating with C2 166.88.2.90 over HTTPS. The report notes delivery via DLL side-loading, use of payload encryption, callback functions, AitM and valid code signing to evade detection, and targets primarily government sectors in Southeast Asia; Google is actively monitoring and mitigating this activity.