Skip to main content
UNC6384: Captive-Portal PlugX Implant operation cover
COMING SOONBeginner

UNC6384: Captive-Portal PlugX Implant

A diplomat's managed laptop on an untrusted conference network has its captive-portal check hijacked and is steered to a page posing as a security update. The download is a signed Canon utility paired with a malicious DLL: running the trusted binary side-loads the DLL, which runs PlugX in memory, beacons to a single HTTPS host, and sets a Run key. Reconstruct the chain from the proxy, Sysmon, endpoint, and firewall evidence.

30m
7 tasks
25 points
Free

Launches in 5 days

Jul 21, 2026

Tuesday, July 21, 2026 at 9:00 AM

Create your free account

Be ready the moment it drops, free.

Training Tools

SIEMXDRFirewall

What you'll investigate

7 objectives unlock when this operation goes live.

1Orient on the traveling-laptop alert
2Find where the captive-portal check was redirected
3Identify the malicious DLL that was sideloaded
4Classify the execution technique
5Pin down the command-and-control host
6Locate the persistence mechanism
7Classify how the data left the machine

Be first when it launches

Create your free account now. The moment this operation goes live on Jul 21, 2026, you can jump straight in — and you'll have the rest of the catalog to train on meanwhile.

Get Started Free