Google’s Threat Intelligence Group (GTIG) has uncovered a targeted campaign attributed to UNC6384, a threat actor tied to the Chinese APT group Silk Typhoon, also known as Mustang Panda or TEMP.Hex. In this operation, the attackers employed an advanced adversary-in-the-middle (AitM) tactic to hijack captive portals—commonly used to authenticate users on public networks—and redirect web traffic to malicious websites masquerading as legitimate software update pages.
The attack begins when the Chrome browser checks for a captive portal, a routine process for public Wi-Fi access. Hijacking this request, the threat actors rerouted the target to a spoofed Adobe plugin update site. There, the victim was lured into downloading a signed executable, AdobePlugins.exe, and guided through steps to bypass Windows security warnings. Once executed, the fake installer displayed a decoy Microsoft Visual C++ setup, while secretly retrieving a disguised MSI file containing three components: a Canon printer utility, a DLL loader named CANONSTAGER, and a backdoor payload (SOGU.SEC).
Attack chain. Source: google.com.
The malware execution chain hinges on DLL sideloading. CANONSTAGER decrypts the encrypted PlugX variant hidden inside the MSI and loads it into memory. This backdoor, a staple of Chinese espionage toolkits, enables attackers to harvest system data, transfer files, and execute remote commands. Despite the software appearing legitimate, the malware is both stealthy and potent—capable of maintaining covert access for long-term surveillance.
Notably, GTIG discovered that the campaign’s malware samples were signed with digital certificates from Chengdu Nuoxin Times Technology Co., Ltd. While it’s unclear if the company is complicit or itself compromised, Google has linked over two dozen malicious samples to this certificate since 2023. Until the situation is clarified, GTIG recommends treating all files signed by this entity as untrusted.
In response, Google has blocked all known malicious domains and file hashes via Safe Browsing and issued alerts to affected Gmail and Workspace accounts. Additionally, it has published YARA detection rules and shared indicators of compromise (IoCs) to help defenders detect and mitigate threats from this campaign. The attackers’ speed, flexibility, and layered approach underline the evolving danger of Chinese-aligned cyberespionage groups, who continue to pivot infrastructure and malware to stay ahead of detection.
