Google has revealed that a China-linked cyber espionage group targeted diplomats in Southeast Asia and other global entities in March 2025, employing tactics such as hijacking web traffic and deploying malware.
According to a blog post by Google Threat Intelligence Group, the campaign involved hijacking web traffic, downloading malware, and deploying a backdoor. Google stated that it alerted all impacted users, although the specific Southeast Asian countries affected and the overall scope of the impact were not disclosed. CNN has contacted Google for additional information.
In response to the Google findings, a Chinese foreign ministry spokesperson claimed to be unaware of the situation and accused Google of repeatedly spreading “false information about so called ‘Chinese hacker attacks.’”
The US government has long been concerned about China’s cyber capabilities. The FBI has stated that China’s hacking program is larger than all other foreign governments combined. Recent hacks have been highlighted by the US government, with tech companies increasingly identifying state-sponsored or state-aligned hacking campaigns. Google’s report follows recent disclosures by Microsoft regarding hacking attempts involving Chinese state-linked actors. Last month, Microsoft revealed that Chinese state actors exploited vulnerabilities in SharePoint servers, its online collaborative platform. The US Cybersecurity and Infrastructure Security Agency (CISA) issued a notice about the SharePoint incident, informing “critical infrastructure organizations impacted,” given the widespread use of the platform by US government agencies and companies. Beijing has previously denied involvement in hacking Microsoft.
Google has attributed the latest campaign to UNC6384, a China-linked cyber espionage group believed to be associated with Mustang Panda, also known as TEMP.Hex. Google stated, “UNC6384 and TEMP.Hex are both observed to target government sectors, primarily in Southeast Asia, in alignment with PRC strategic interests.” They added, “This campaign is a clear example of the continued evolution of UNC6384’s operational capabilities and highlights the sophistication of PRC-nexus threat actors.”
The deployed malware, SOGU.SEC, is described as a “sophisticated, and heavily obfuscated, malware backdoor with a wide range of capabilities” and is commonly used by UNC6384 in cyber espionage activities.
