TZUTC: -0500   
   MSGID: 1453.consprcy@1:2320/105 2d15a111   
   PID: Synchronet 3.21a-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0   
   TID: SBBSecho 3.28-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0   
   BBSID: CAPCITY2   
   CHRS: ASCII 1   
   FORMAT: flowed   
   Google warns of Chinese state actor hack in real-time following alerts   
      
   Date:   
   Wed, 27 Aug 2025 16:57:00 +0000   
      
   Description:   
   UNC6384 is targeting diplomats in Southeast Asia and elsewhere with backdoors   
   and other malware.   
      
   FULL STORY   
      
   Google has issued a warning about a Chinese state-sponsored hacking attack   
   targeting users in real-time.    
      
   The companys cybersecurity arm, the Google Threat Intelligence Group (GTIG),   
   published a new blog outlining how it saw evidence of a captive portal hijack   
   being used to deliver malware disguised as an Adobe Plugin update to targeted   
   entities.    
      
   Apparently, this campaign is the work of a group known as UNC6384, a Chinese   
   state-sponsored actor, possibly tied to Silk Typhoon , a group known for   
   cyber-espionage campaigns against government, critical infrastructure, and   
   telco organizations in the West. The campaign, according to Google, targeted   
   diplomats in Southeast Asia, as well as other entities around the world.   
      
   Fake security updates   
      
   A captive portal is essentially a login page. It usually pops up on public   
   networks, such as on airports, or in coffee shops - right after connecting to   
   the network, but before gaining access to the public internet. Sometimes it   
   asks users to register an account, and sometimes viewing an ad and clicking   
   connect is enough to be granted access.    
      
   Now, Google claims the Chinese compromised edge devices on those target   
   networks (routers, firewalls , VPN gateways, and the such), and then used the   
   instances to hijack the portals and redirect visitors to a malicious landing   
   page.    
      
   Visitors are then prompted to download a security update for Adobe which is,   
   in fact, malware . The initial payload, an MSI package, installs stage-two   
   malware including CANONSTAGER and SOGU.SEC. The latter is a backdoor that   
   connects to the attacker-controlled C2 server and grants unabated access to   
   the target computer.    
      
   Google first observed this attack in March this year and sent out alerts to   
   Gmail and Workspace users.    
      
   Whenever China is accused of engaging in cyber-warfare against its    
   adversaries in the West, it denies any involvement and repeats its stance    
   that the US is the biggest cyber-bully right now.   
      
   ======================================================================   
   Link to news story:   
   https://www.techradar.com/pro/security/google-warns-of-chinese-state-actor-hac   
   k-in-real-time-following-alerts   
      
   $$   
   --- SBBSecho 3.28-Linux   
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)   
   SEEN-BY: 105/81 106/201 128/187 129/14 305 153/7715 154/110 218/700   
   SEEN-BY: 226/30 227/114 229/110 111 206 300 307 317 400 426 428 470   
   SEEN-BY: 229/664 700 705 266/512 291/111 320/219 322/757 342/200 396/45   
   SEEN-BY: 460/58 712/848 902/26 2320/0 105 304 3634/12 5075/35   
   PATH: 2320/105 229/426