Full Report
State-sponsored hackers linked to the Mustang Panda activity cluster targeted diplomats by hijacking web traffic to redirect to a malware serving website. [...]
Analysis Summary
# Threat Actor: Silk Typhoon (UNC6384 / TEMP.Hex / Mustang Panda)
## Attribution & Identity
Threat actor tracked by Google Threat Intelligence Group (GTIG) as **UNC6384**. Believed to be associated with the Chinese threat actor **TEMP.Hex**, which is also linked to **Mustang Panda** and the activity cluster known as **Silk Typhoon**.
## Activity Summary
This activity cluster was observed targeting **diplomats** using an advanced adversary-in-the-middle (AitM) technique. The hackers hijacked the network's captive portal to redirect targeted users to a malware-serving website. The attack chain began when the Chrome browser checked for a captive portal, redirecting the victim to a landing page impersonating an Adobe plugin update site. Victims were then tricked into downloading and installing a digitally signed file, `AdobePlugins.exe`.
## Tactics, Techniques & Procedures
- **Adversary-in-the-Middle (AitM):** Used to hijack network captive portals and redirect web traffic.
- **Impersonation:** Landing page impersonated a legitimate Adobe plugin update site.
- **Social Engineering:** Provided step-by-step instructions to targets to bypass Windows security prompts during manual installation of malicious software.
- **File Dropping/Installation:** Deployed a fake Adobe plugin (`AdobePlugins.exe`) which displayed a Microsoft Visual C++ installer skin.
- **Payload Staging:** Secretly downloaded a disguised MSI package (`20250509.bmp`) containing a legitimate Canon tool, a DLL (**CANONSTAGER**), and the **SOGU.SEC** backdoor (RC-4 encrypted).
- **DLL Side-Loading:** CANONSTAGER decrypted and loaded the final payload (SOGU.SEC) directly into system memory.
- **Code Signing Abuse:** Exploited digitally signed files attributed to Chengdu Nuoxin Times Technology Co., Ltd.
## Targeting
- **Sectors:** Diplomacy (Diplomats)
- **Geography:** Not explicitly stated, but inferred targeting of international diplomatic staff.
- **Victims:** Diplomats.
## Tools & Infrastructure
- **Malware Families Used:**
- **SOGU.SEC:** A variant of the PlugX malware used extensively by Chinese threat groups, capable of system information collection, file upload/download, and remote command shell provisioning.
- **CANONSTAGER:** A DLL used to decrypt and load SOGU.SEC into memory via side-loading.
- **Infrastructure:** Malicious domains were used for the malware distribution landing page, which Google has since blocked via Safe Browsing.
- **Signing Certificate Abuse:** Used certificates signed by **Chengdu Nuoxin Times Technology Co., Ltd** for their malicious binaries.
## Implications
This campaign demonstrates increasing sophistication among Chinese-nexus espionage actors. The use of AitM attacks via captive portal hijacking is an advanced technique showing high potential for bypassing standard perimeter defenses focused on external access. The use of legitimate-looking installers and signed binaries suggests an emphasis on evading endpoint detection mechanisms. The actors show an ability to quickly switch infrastructure and generate new binary builds.
## Mitigations
- Treat all certificates issued by **Chengdu Nuoxin Times Technology Co., Ltd** as untrusted until the compromise of that entity is clarified.
- Implement robust endpoint detection focused on memory injection and DLL side-loading techniques (YARA rules for STATICPLUGIN and CANONSTAGER were shared).
- Monitor for unexpected network redirect activity, especially involving captive portals or browser-initiated checks for portal authentication.
- Educate staff, particularly diplomats, on identifying and bypassing manual steps required to install "required" software updates prompted via web browser requests.