China linked Silk Typhoon targeted diplomats by hijacking web traffic
August 27, 2025
The China-linked APT group Silk Typhoon targeted diplomats by hijacking web traffic to redirect it to a website that delivered malware.
China-linked cyberespionage group Silk Typhoon targeted diplomats by hijacking web traffic to redirect to a website used to deliver malware, Google’s Threat Intelligence Group (GTIG) warns.
Cyberspies hijacked a network’s captive portal using an advanced adversary-in-the-middle (AitM) technique to deliver malware. GTIG links the group, UNC6384, to the Chinese threat actor TEMP.Hex, also known as Mustang Panda or Silk Typhoon.
In March 2025, Google identified a sophisticated cyber espionage campaign by UNC6384, targeting diplomats in Southeast Asia and globally. The attack hijacked web traffic via captive portal redirects, delivering a signed downloader (STATICPLUGIN) that installed the PlugX backdoor (SOGU.SEC).
GTIG found that attackers hijacked captive portals to deliver malware disguised as an Adobe Plugin update.
The attackers trick targets into downloading malware disguised as a “plugin update” via a fake software update site using HTTPS and a valid TLS certificate. The page appears legitimate, displaying a blank landing page with an “Install Missing Plugins…” button. When clicked, JavaScript triggers the download of “AdobePlugins.exe” while showing a background image with execution instructions. The fake installer runs, but the SOGU.SEC backdoor is already active, bypassing Windows security.
Legitimate browser redirects (via gstatic.com) were abused in an adversary-in-the-middle (AitM) attack, likely through compromised edge devices, though the initial compromise method remains unknown.
“A captive portal is a network setup that directs users to a specific webpage, usually a login or splash page, before granting internet access. This functionality is intentionally built into all web browsers. The Chrome browser performs an HTTP request to a hardcoded URL (“http://www.gstatic.com/generate_204”) to enable this redirect mechanism.” states the GTIG’s report.
“While “gstatic.com” is a legitimate domain, our investigation uncovered redirect chains from this domain leading to the threat actor’s landing webpage and subsequent malware delivery, indicating an AitM attack. “
Upon delivery to a Windows system, the malware launches a multi-stage chain designed to evade defenses and remain stealthy. The first stage, STATICPLUGIN, is a digitally signed downloader disguised as a legitimate installer. It retrieves an MSI package, which installs CANONSTAGER, a launcher that side-loads and executes the encrypted SOGU.SEC backdoor entirely in memory.
CANONSTAGER employs advanced evasion techniques, including API hashing, Thread Local Storage (TLS) for storing function addresses, and indirect code execution via Windows message queues and hidden window procedures. This allows SOGU.SEC to decrypt and run without leaving artifacts on the disk, bypassing security tools while maintaining communication with the attacker’s command-and-control server. The malware leverages legitimate Windows features and digitally signed binaries to appear credible and avoid detection.
“This campaign is a clear example of the continued evolution of UNC6384’s operational capabilities and highlights the sophistication of PRC-nexus threat actors. The use of advanced techniques such as AitM combined with valid code signing and layered social engineering demonstrates this threat actor’s capabilities.” concludes the report. “This activity follows a broader trend GTIG has observed of PRC-nexus threat actors increasingly employing stealthy tactics to avoid detection.”
Google published indicators of compromise (IoCs) and YARA rules for detecting malware employed in the attacks.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, Silk Typhoon)
