Google Says Silk Typhoon Hijacked Captive Portals to Spy on Diplomats

Google’s Threat Intelligence Group has linked a March 2025 cyber-espionage campaign against diplomatic networks to UNC6384, also known as Silk Typhoon or Mustang Panda. Investigators say the China-associated group hijacked captive-portal traffic—triggered when browsers test internet connectivity—to redirect users to a spoofed Adobe plug-in site that seeded compromised systems with a signed downloader called STATICPLUGIN. The downloader retrieved CANONSTAGER, which side-loaded an encrypted variant of the PlugX backdoor (tagged SOGU.SEC) directly into memory, giving attackers remote command shells, file-transfer capability and persistence while evading disk-based detection. Google has blocked the malicious domains and file hashes via Safe Browsing and urged administrators to treat code-signing certificates issued to Chengdu Nuoxin Times Technology as untrusted pending further review. In a separate report, Singapore-based Group-IB said a bilingual Russian-Chinese crew it tracks as ShadowSilk compromised 36 government entities across Uzbekistan, Kyrgyzstan, Myanmar, Tajikistan, Pakistan and Turkmenistan as recently as July. The attackers relied on Telegram bots to mask command-and-control traffic and share tooling overlaps with earlier clusters YoroTrooper and Silent Lynx, underscoring what researchers describe as the increasing operational sophistication and regional reach of state-aligned hacking groups.