{"id":12871,"date":"2025-08-27T20:12:30","date_gmt":"2025-08-27T20:12:30","guid":{"rendered":"https:\/\/usaontheweb.com\/clone1\/silk-typhoon-hackers-hijack-network-captive-portals-in-diplomat-attacks\/"},"modified":"2025-08-27T20:12:30","modified_gmt":"2025-08-27T20:12:30","slug":"silk-typhoon-hackers-hijack-network-captive-portals-in-diplomat-attacks","status":"publish","type":"post","link":"https:\/\/usaontheweb.com\/clone1\/silk-typhoon-hackers-hijack-network-captive-portals-in-diplomat-attacks\/","title":{"rendered":"Silk Typhoon hackers hijack network captive portals in diplomat attacks"},"content":{"rendered":"
\n

\"Silk<\/p>\n

State-sponsored hackers linked to the Silk Typhoon\u00a0activity cluster targeted diplomats by hijacking web traffic to redirect to a malware-serving website.<\/p>\n

The hackers used an\u00a0advanced adversary-in-the-middle (AitM) technique to hijack the captive portal of the network and send the target to the first-stage malware.<\/p>\n

Google\u00a0Threat Intelligence Group (GTIG) tracks the threat actor as UNC6384 and, based on tooling, targeting, and infrastructure, believes it is associated with the Chinese threat actor TEMP.Hex, also known as Mustang Panda and Silk Typhoon.<\/p>\n

Hijacking Chrome requests<\/h2>\n

GTIG researchers believe that the AitM was possible after compromising an edge device on the target network; however, they did not find evidence to support this theory.<\/p>\n

The attack starts when the Chrome browser checks if it is behind a captive portal, which is a web page where users of a network authenticate before connecting to the internet.<\/p>\n

With the hackers in a position to hijack web traffic, they redirect the target to a\u00a0landing page impersonating\u00a0an Adobe plugin update site.<\/p>\n

Victims download a digitally signed \u2018AdobePlugins.exe\u2019 file, presented as a required plugin update, and are directed to step-by-step instructions on the site to bypass Windows security prompts while installing it.<\/p>\n

\n
\"Fake
Fake site prompting Adobe plugin installation<\/strong>
Source: Google<\/em><\/figcaption><\/figure>\n<\/div>\n

Launching that file displays a Microsoft Visual C++ installer, but it secretly downloads a disguised MSI package (20250509.bmp) that contains a legitimate Canon printer tool, a DLL (CANONSTAGER), and the SOGU.SEC backdoor in RC-4 encrypted form.<\/p>\n

CANONSTAGER decrypts and loads the final payload in the system memory using the DLL side-loading technique.<\/p>\n

SOGU.SEC, which Google says is a variant of the PlugX malware, used extensively by multiple Chinese threat groups, can collect system information, upload or download files, and provide operatives with a remote command shell.<\/p>\n

\n
\"Overview
Overview of the attack chain<\/strong>
Source: Google<\/em><\/figcaption><\/figure>\n<\/div>\n

The GTIG researchers noted that it is unclear whether the entity that signs the files used in this campaign, Chengdu Nuoxin Times Technology Co., Ltd, is knowingly participating in these operations or was compromised.<\/p>\n

However, GTIG tracks at least 25 malware samples signed by this entity since early 2023, associated with various Chinese activity clusters.<\/p>\n

Treating all certificates from Chengdu Nuoxin Times Technology Co., Ltd as untrusted is a reasonable defensive action until the situation is clarified.<\/p>\n

\n
\"Certificate
Certificate used in the latest Mustang Panda campaign<\/strong>
Source: Google<\/em><\/figcaption><\/figure>\n<\/div>\n

Google blocked the malicious domains and file hashes via Safe Browsing\u00a0and issued government-backed attacker alerts to affected Gmail and Workspace users.<\/p>\n

The tech giant has also shared YARA rules for detecting STATICPLUGIN and CANONSTAGER, and indicators of compromise (IoCs) for all files sampled from these attacks.<\/p>\n

This latest campaign is indicative of the increasing sophistication of Chinese-nexus espionage actors, who are very likely to switch to new infrastructure and binary builds and rebound quickly.<\/p>\n

\n

\n \"Picus\n <\/p>\n<\/div><\/div>\n","protected":false},"excerpt":{"rendered":"

State-sponsored hackers linked to the Silk Typhoon\u00a0activity cluster targeted diplomats by hijacking web traffic to redirect to a malware-serving website.<\/p>\n","protected":false},"author":7282,"featured_media":12872,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1166],"tags":[],"class_list":["post-12871","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-website"],"_links":{"self":[{"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/posts\/12871","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/users\/7282"}],"replies":[{"embeddable":true,"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/comments?post=12871"}],"version-history":[{"count":0,"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/posts\/12871\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/media\/12872"}],"wp:attachment":[{"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/media?parent=12871"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/categories?post=12871"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/tags?post=12871"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}