Silk Typhoon hackers hijack captive portals in diplomat attacks, exposing how far advanced persistent threats will go to steal intelligence. The group, also tracked as Mustang Panda, UNC6384, and TEMP.Hex, is a known Chinese state-sponsored operation. Their latest campaign reveals new tactics designed to bypass defenses and target high-value diplomatic missions.
Hijacking Captive Portals
Captive portals usually appear when users connect to Wi-Fi networks. They request a login or agreement before granting internet access. Silk Typhoon exploited this familiar entry point, hijacking it to redirect users.
Diplomats connecting to targeted networks were shown a convincing Adobe plugin update page. The fake portal urged them to download “AdobePlugins.exe.” This file carried a valid digital signature, making it harder to suspect foul play.
How the Attack Unfolded
The executable looked legitimate at first glance. Once launched, it dropped a Microsoft Visual C++ installer and an MSI package named 20250509.bmp. Hidden inside were three components:
- A legitimate Canon printer tool
- A loader DLL known as CANONSTAGER
- An RC-4 encrypted backdoor called SOGU.SEC
The loader decrypted the backdoor and executed it directly in memory. This in-memory execution made detection extremely difficult, as no obvious artifacts were left on disk.
Capabilities of the Backdoor
Once deployed, SOGU.SEC granted attackers powerful surveillance capabilities. The malware allowed:
- System reconnaissance
- File transfers
- Execution of remote commands
- Persistent but stealthy access
These functions enabled Silk Typhoon to extract sensitive diplomatic information without drawing attention. The campaign demonstrated how APT actors continue refining methods to evade detection.
Signed Malware Raises Alarm
The malicious file was signed with a certificate issued to Chengdu Nuoxin Times Technology Co., Ltd. Investigators cannot confirm if the company was compromised or knowingly involved.
This is not an isolated case. Since early 2023, Google tracked at least 25 malware samples signed with certificates linked to this entity. Security analysts now warn organizations that a valid digital signature alone should not be considered proof of safety.
Google’s Countermeasures
Google responded by blocking related domains and file hashes through Safe Browsing protections. The company also issued government-backed attacker alerts to affected Gmail and Google Workspace users.
Detection efforts began in March 2025 when the campaign was first discovered. Google emphasized that Silk Typhoon’s activity highlights a persistent risk for diplomats and other high-profile targets.
Broader Implications
This attack introduces a worrying trend in cyber-espionage. Hijacking captive portals exploits a trusted point of access. Many organizations rely on these portals without monitoring them for tampering.
The campaign also shows how attackers weaponize valid certificates. By combining technical trust with social engineering, Silk Typhoon raised the chances of success. These methods are difficult to counter without layered defenses and strict network monitoring.
Final Thoughts
Silk Typhoon hackers hijack captive portals in diplomat attacks to deliver advanced backdoors. Their campaign blends social engineering, hijacked infrastructure, and signed malware to bypass defenses. The case proves that state-backed actors continue refining tactics against sensitive global targets.
Organizations must secure captive portal systems, monitor certificate abuse, and treat signed binaries with caution. Diplomatic missions, in particular, face ongoing risks from espionage-focused cyber groups. Silk Typhoon’s campaign is another reminder that trust in digital signatures and familiar network entry points can no longer guarantee security.
