Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

Silk Typhoon Hackers Hijack Diplomatic Network Captive Portals for Malicious Aims


State-sponsored hackers linked to the Silk Typhoon group have hijacked network captive portals in diplomatic attacks, compromising system information and uploading malicious files. This latest campaign highlights the increasing sophistication of Chinese-nexus espionage actors and the need for vigilance in detecting and responding to these types of attacks.

  • The Silk Typhoon group has hijacked network captive portals in diplomatic attacks linked to Chinese threat actor TEMP.Hex.
  • The attack used advanced adversary-in-the-middle (AitM) technique, allowing the hackers to redirect Chrome browser requests to a malware-serving website.
  • The attackers downloaded and installed a malicious Adobe plugin update site disguised as an Adobe plugin, prompting the victim to download a digitally signed file.
  • The final payload was loaded in system memory using DLL side-loading technique, which included a variant of PlugX malware known as SOGU.SEC backdoor.
  • Google has issued government-backed attacker alerts and shared YARA rules and IoCs for detecting the attack.
  • The use of AitM techniques highlights the growing threat posed by state-sponsored hackers, particularly Chinese-nexus espionage actors.



    • In a recent attack that highlights the growing sophistication of state-sponsored hackers, the Silk Typhoon group has hijacked network captive portals in diplomatic attacks. This malicious activity is believed to be linked to the Chinese threat actor TEMP.Hex, also known as Mustang Panda and Silk Typhoon.

    According to Google's Threat Intelligence Group (GTIG), the advanced adversary-in-the-middle (AitM) technique used by the hackers allowed them to hijack the captive portal of the target network. This enabled the attackers to redirect the victim's Chrome browser requests to a malware-serving website, which was disguised as an Adobe plugin update site.

    The attack began when the Chrome browser checked if it was behind a captive portal. With the Silk Typhoon hackers in control, they were able to hijack web traffic and send the target to the first-stage malware. The malware served from this landing page presented itself as a required plugin update for Adobe, prompting the victim to download and install a digitally signed ‘AdobePlugins.exe’ file.

    Upon launching the file, it displayed a Microsoft Visual C++ installer, but secretly downloaded a disguised MSI package that contained a legitimate Canon printer tool, a DLL (CANONSTAGER), and the SOGU.SEC backdoor in RC-4 encrypted form. This backdoor is a variant of the PlugX malware used extensively by multiple Chinese threat groups.

    The CANONSTAGER decrypts and loads the final payload in the system memory using the DLL side-loading technique. The SOGU.SEC, which is the final stage of the attack, can collect system information, upload or download files, and provide operatives with a remote command shell.

    Google has issued government-backed attacker alerts to affected Gmail and Workspace users and blocked malicious domains and file hashes via Safe Browsing. The tech giant has also shared YARA rules for detecting STATICPLUGIN and CANONSTAGER and provided indicators of compromise (IoCs) for all files sampled from these attacks.

    This latest campaign is indicative of the increasing sophistication of Chinese-nexus espionage actors, who are very likely to switch to new infrastructure and binary builds and rebound quickly. The use of AitM techniques in this attack highlights the growing threat posed by state-sponsored hackers.

    The GTIG researchers noted that it is unclear whether the entity that signs the files used in this campaign, Chengdu Nuoxin Times Technology Co., Ltd, was knowingly participating in these operations or was compromised. However, GTIG tracks at least 25 malware samples signed by this entity since early 2023, associated with various Chinese activity clusters.

    Treating all certificates from Chengdu Nuoxin Times Technology Co., Ltd as untrusted is a reasonable defensive action until the situation is clarified.

    This latest incident highlights the growing threat posed by state-sponsored hackers and the need for vigilance in detecting and responding to these types of attacks. As the threat landscape continues to evolve, it is essential that organizations take proactive measures to protect themselves against such attacks.

    Related Information:
  • https://www.ethicalhackingnews.com/articles/Silk-Typhoon-Hackers-Hijack-Diplomatic-Network-Captive-Portals-for-Malicious-Aims-ehn.shtml

  • https://www.bleepingcomputer.com/news/security/silk-typhoon-hackers-hijack-network-captive-portals-in-diplomat-attacks/

  • https://www.microsoft.com/en-us/security/blog/2025/03/05/silk-typhoon-targeting-it-supply-chain/

  • https://www.securityweek.com/chinese-silk-typhoon-hackers-exploited-commvault-zero-day/

  • https://www.malwarebytes.com/blog/news/2025/01/plugx-malware-deleted-from-thousands-of-systems-by-fbi

  • https://www.twingate.com/blog/glossary/plugx+malware

  • https://securityaffairs.com/181453/apt/china-linked-silk-typhoon-apt-targets-north-america.html

  • https://attack.mitre.org/groups/G0125/

  • https://cloud.google.com/blog/topics/threat-intelligence/chinese-espionage-tactics

  • https://breach-hq.com/threat-actors


    • Published: Tue Aug 26 19:14:06 2025 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us