
COMING SOONBeginner
UNC6384: Captive-Portal PlugX Implant
A diplomat's managed laptop on an untrusted conference network has its captive-portal check hijacked and is steered to a page posing as a security update. The download is a signed Canon utility paired with a malicious DLL: running the trusted binary side-loads the DLL, which runs PlugX in memory, beacons to a single HTTPS host, and sets a Run key. Reconstruct the chain from the proxy, Sysmon, endpoint, and firewall evidence.
30m
7 tasks
25 points
FreeLaunches in 5 days
Jul 21, 2026
Create your free accountTuesday, July 21, 2026 at 9:00 AM
Be ready the moment it drops, free.
Training Tools
SIEMXDRFirewall
What you'll investigate
7 objectives unlock when this operation goes live.
1Orient on the traveling-laptop alert
2Find where the captive-portal check was redirected
3Identify the malicious DLL that was sideloaded
4Classify the execution technique
5Pin down the command-and-control host
6Locate the persistence mechanism
7Classify how the data left the machine
Be first when it launches
Create your free account now. The moment this operation goes live on Jul 21, 2026, you can jump straight in — and you'll have the rest of the catalog to train on meanwhile.
Get Started Free