Diplomatic circles in Southeast Asia targeted in new China-linked cyber campaign

Google’s Threat Intelligence Group has revealed that a China-linked cyber-espionage campaign, led by the UNC6384 hacking group,targeted diplomats across Southeast Asia earlier in 2025.

 

Using malware disguised as software updates and Wi-Fi hijacking, attackers infiltrated devices of around two dozen diplomats, raising fresh cybersecurity concerns amid escalating geopolitical tensions.

 

In a blog post published on 26 August 2025, Google disclosed that the cyber-espionage campaign occurred earlier this year, deploying malware disguised as routine software updates. These deceptive files were disseminated via hijacked Wi-Fi networks, leading diplomats to unknowingly install malicious software that acted as a foothold for further intrusion.

 

Patrick Whitsell, Google’s senior security engineer, confirmed that "about two dozen" diplomats fell victim to these deceptive tactics. He asserted with high confidence that the attackers were “China-aligned,” though their exact affiliation—whether government operatives or contracted proxies, remains unspecified.

 

The hacker group UNC6384, though not yet formally classified among known threat actors, is believed to be associated with well-known China-linked entities such as Mustang Panda or TEMP.Hex. The group employed advanced methods like hijacking captive portal web traffic, deploying PlugX malware, and using valid digital certificates to avoid detection while penetrating sensitive networks.

 

 

This revelation arrives amid mounting evidence that Chinese-linked cyber actors maintain a focused interest in Southeast Asia. Research from Wired in 2022 highlighted a 20 % surge in cyberattacks tied to China in the region, often targeting government and military systems. Other campaigns, including those by Lotus Panda, Earth Krahang, and UNC4191, have targeted government agencies, critical infrastructure, and strategic communications across Southeast Asia using varying tactics from USB-based malware to sophisticated backdoors.

 

Adding fuel to the fire, Singapore recently acknowledged a “serious,” ongoing cyberattack on its critical infrastructure linked to UNC3886, a separate China-affiliated group, underscoring the persistent threat to regional cybersecurity.

 

When approached for comment, China’s Ministry of Foreign Affairs said it was unaware of the reported incident and accused Google of disseminating "false information" about so-called Chinese hacking attacks. 

 

Historically, Beijing has consistently rejected such allegations, characterizing them as politically motivated or smear campaigns, similar to its response following Mandiant’s 2023 analysis of Chinese-linked attacks.