Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

Google Warns of State-Backed Web Hijack Attack: A New Layer of Cyber Threats


Google has warned customers of a suspected state-backed web hijack attack, which may be linked to a Chinese threat actor group called UNC6384. The attack involves malware disguised as Adobe plugins, designed to compromise networks and deliver other malicious software.

  • Google has detected a state-backed web hijack attack being conducted by Chinese threat actors.
  • Captive portal hijack is used to deliver malware disguised as an Adobe Plugin update to targeted entities.
  • The attackers compromised edge devices on target networks and poisoned captive portals to redirect users to fake login pages.
  • Malware signed by Chengdu Nuoxin Times Technology Co. Ltd. is being used in the attack, posing a significant threat to web applications and networks.
  • The attack is believed to be part of an ongoing effort by China to compromise web applications and hijack networks.



    • Google, a leading technology giant, has issued a warning about a state-backed web hijack attack that it believes is being conducted by a group of Chinese threat actors. The company's information security team, the Google Threat Intelligence Group, detected evidence of a captive portal hijack being used to deliver malware disguised as an Adobe Plugin update to targeted entities.

    According to Patrick Whitsell, senior security engineer at Google, the company discovered that attackers had compromised edge devices on target networks and used those machines to poison captive portals. The poisoned portals redirect users to fake login pages that advise them to download necessary security updates. However, these updates are not what they seem - they contain malware designed to retrieve an MSI package, install other malware called CANONSTAGER, and deploy a backdoor called SOGU.SEC.

    The malware is signed by Chengdu Nuoxin Times Technology Co. Ltd., which issued a valid GlobalSign certificate. Google has identified 25 known malware samples with certificates issued to Chengdu Nuoxin, and suspects that these certificates are being used by multiple PRC-nexus activity clusters.

    Google attributes the campaign to a Chinese threat actor group called UNC6384, also associated with another group named TEMP.Hex - aka Mustang Panda/Silk Typhoon/Hafnium. The researchers believe that this is part of an ongoing effort to compromise web applications and hijack captive portals for malicious purposes.

    The implications of this attack are significant. Captive portals are commonly used by organizations to secure their networks, but if they can be compromised, it could lead to a wide range of security issues. Moreover, the use of malware disguised as legitimate software updates highlights the increasing sophistication of state-sponsored cyber attacks.

    The involvement of Chinese threat actors has sparked concerns about the country's growing capabilities in the realm of cyber warfare. The attack is believed to be part of a larger campaign by China to compromise web applications and hijack networks. This highlights the need for organizations to take proactive measures to secure their networks against such threats.

    Furthermore, the use of malware disguised as Adobe plugins raises questions about the effectiveness of software update mechanisms in preventing security breaches. It also underscores the importance of robust threat intelligence and incident response capabilities to detect and respond to such attacks quickly.

    In conclusion, Google's warning about state-backed web hijack attacks highlights the growing threat landscape in the realm of cyber warfare. As organizations continue to rely on digital networks and applications, it is essential that they take proactive measures to secure their infrastructure against these threats. The involvement of Chinese threat actors emphasizes the need for increased vigilance and cooperation between nations to combat this growing menace.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/Google-Warns-of-State-Backed-Web-Hijack-Attack-A-New-Layer-of-Cyber-Threats-ehn.shtml

  • https://go.theregister.com/feed/www.theregister.com/2025/08/27/google_china_captive_portal_hijack_warning/

  • https://www.theregister.com/2025/08/27/google_china_captive_portal_hijack_warning/?td=keepreading

  • https://www.msn.com/en-us/news/technology/google-issued-state-backed-attack-in-progress-warnings-after-spotting-web-hijack-scheme/ar-AA1LhX4Z

  • https://www.rivitmedia.com/cyberthreats/malware/can-stealer-malware-threat-detailed-guide-removal-and-prevention/

  • https://www.pcrisk.com/removal-guides/31045-can-stealer

  • https://cloud.google.com/blog/topics/threat-intelligence/prc-nexus-espionage-targets-diplomats

  • https://security.googlecloudcommunity.com/community-blog-42/finding-malware-detecting-sogu-with-google-security-operations-3869

  • https://thehackernews.com/2025/08/unc6384-deploys-plugx-via-captive.html

  • https://cyberpress.org/unc6384-hackers/

  • https://attack.mitre.org/groups/G0125/

  • https://apt.etda.or.th/cgi-bin/showcard.cgi?g=Mustang+Panda,+Bronze+President


    • Published: Wed Aug 27 00:47:31 2025 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us