Google issued ‘State-backed attack in progress’ warnings after spotting web hijack scheme
(2025/08/27)
- Reference: 1756270688
- News link: https://www.theregister.co.uk/2025/08/27/google_china_captive_portal_hijack_warning/
- Source link:
Google has warned customers of a suspected state-backed attack after observing a web traffic hijacking campaign.
As explained in a Monday [1]post by Google Threat Intelligence Group senior security engineer Patrick Whitsell, the company’s infosec sleuths “discovered evidence of a captive portal hijack being used to deliver malware disguised as an Adobe Plugin update to targeted entities.”
Captive portals are login pages – like the sort of thing you see when connecting to public Wi-Fi, or some corporate networks. Google found attackers compromised edge devices on the target networks and used those machines to poison captive portals so they redirect to a fake page that advises users to download necessary security updates.
[2]
The updates are, in fact, malware that first retrieves an MSI package, then installs other malware called CANONSTAGER that deploys the SOGU.SEC backdoor, which connects to a command-and-control server.
[3]
[4]
Google says the dodgy update – a file named AdobePlugins.exe – is signed by an outfit called Chengdu Nuoxin Times Technology Co. Ltd. which used a valid GlobalSign certificate.
Google says it’s tracking 25 known malware samples signed with a certificate issued to Chengdu Nuoxin, and says those certs are “in use by multiple PRC-nexus activity clusters.”
[5]
The Chocolate Factory believes the campaign is the work of a Chinese threat actor known as UNC6384 and associated with another group named TEMP.Hex – aka Mustang Panda/Silk Typhoon/Hafnium.
[6]Typhoon-adjacent Chinese crew broke into Taiwanese web host
[7]China says US spies exploited Microsoft Exchange zero-day to steal military info
[8]Silk Typhoon spun a web of patents for offensive cyber tools, report says
[9]Senator to Google: Give us info from telco Salt Typhoon probes
Google spotted this campaign in March 2025, and was so confident Beijing backed it that it sent government-backed attacker alerts to all Gmail and Workspace users impacted by this campaign.
As Google says the campaign “targeted diplomats in Southeast Asia and other entities globally”, some of those customers were presumably government agencies.
The web ads giant therefore suggests the campaign “was likely in support of cyber espionage operations aligned with the strategic interests of the People's Republic of China.”
China always denies it backs attacks of this sort, points out that Edward Snowden’s leaks show the US government is up to all sorts of skullduggery, and says research of the sort published by Google is part of a campaign to discredit Beijing and its entirely peaceful approach to cyberspace.
[10]
If you believe that, The Register has a layer 2 bridge to sell you, because in 2025 many nations have the ability to conduct cyber-ops.
Google, meanwhile, has encouraged its users “to enable Enhanced Safe Browsing for Chrome, ensure all devices are fully updated, and enable 2-Step Verification on accounts.” The company has also uploaded all it knows about the attack into its SecOps platform so users can defend against it. ®
Get our [11]Tech Resources
[1] https://cloud.google.com/blog/topics/threat-intelligence/prc-nexus-espionage-targets-diplomats
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aK7XOjAeBIxAZGLNCQQjngAAAEY&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aK7XOjAeBIxAZGLNCQQjngAAAEY&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aK7XOjAeBIxAZGLNCQQjngAAAEY&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aK7XOjAeBIxAZGLNCQQjngAAAEY&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://www.theregister.com/2025/08/15/typhoonadjacent_chinese_crew_taiwan_web_servers/
[7] https://www.theregister.com/2025/08/01/china_us_intel_attacks/
[8] https://www.theregister.com/2025/07/31/silk_typhoon_attack_patents/
[9] https://www.theregister.com/2025/07/25/senator_mandiant_salt_typhoon_demands/
[10] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aK7XOjAeBIxAZGLNCQQjngAAAEY&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[11] https://whitepapers.theregister.com/
As explained in a Monday [1]post by Google Threat Intelligence Group senior security engineer Patrick Whitsell, the company’s infosec sleuths “discovered evidence of a captive portal hijack being used to deliver malware disguised as an Adobe Plugin update to targeted entities.”
Captive portals are login pages – like the sort of thing you see when connecting to public Wi-Fi, or some corporate networks. Google found attackers compromised edge devices on the target networks and used those machines to poison captive portals so they redirect to a fake page that advises users to download necessary security updates.
[2]
The updates are, in fact, malware that first retrieves an MSI package, then installs other malware called CANONSTAGER that deploys the SOGU.SEC backdoor, which connects to a command-and-control server.
[3]
[4]
Google says the dodgy update – a file named AdobePlugins.exe – is signed by an outfit called Chengdu Nuoxin Times Technology Co. Ltd. which used a valid GlobalSign certificate.
Google says it’s tracking 25 known malware samples signed with a certificate issued to Chengdu Nuoxin, and says those certs are “in use by multiple PRC-nexus activity clusters.”
[5]
The Chocolate Factory believes the campaign is the work of a Chinese threat actor known as UNC6384 and associated with another group named TEMP.Hex – aka Mustang Panda/Silk Typhoon/Hafnium.
[6]Typhoon-adjacent Chinese crew broke into Taiwanese web host
[7]China says US spies exploited Microsoft Exchange zero-day to steal military info
[8]Silk Typhoon spun a web of patents for offensive cyber tools, report says
[9]Senator to Google: Give us info from telco Salt Typhoon probes
Google spotted this campaign in March 2025, and was so confident Beijing backed it that it sent government-backed attacker alerts to all Gmail and Workspace users impacted by this campaign.
As Google says the campaign “targeted diplomats in Southeast Asia and other entities globally”, some of those customers were presumably government agencies.
The web ads giant therefore suggests the campaign “was likely in support of cyber espionage operations aligned with the strategic interests of the People's Republic of China.”
China always denies it backs attacks of this sort, points out that Edward Snowden’s leaks show the US government is up to all sorts of skullduggery, and says research of the sort published by Google is part of a campaign to discredit Beijing and its entirely peaceful approach to cyberspace.
[10]
If you believe that, The Register has a layer 2 bridge to sell you, because in 2025 many nations have the ability to conduct cyber-ops.
Google, meanwhile, has encouraged its users “to enable Enhanced Safe Browsing for Chrome, ensure all devices are fully updated, and enable 2-Step Verification on accounts.” The company has also uploaded all it knows about the attack into its SecOps platform so users can defend against it. ®
Get our [11]Tech Resources
[1] https://cloud.google.com/blog/topics/threat-intelligence/prc-nexus-espionage-targets-diplomats
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aK7XOjAeBIxAZGLNCQQjngAAAEY&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aK7XOjAeBIxAZGLNCQQjngAAAEY&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aK7XOjAeBIxAZGLNCQQjngAAAEY&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aK7XOjAeBIxAZGLNCQQjngAAAEY&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://www.theregister.com/2025/08/15/typhoonadjacent_chinese_crew_taiwan_web_servers/
[7] https://www.theregister.com/2025/08/01/china_us_intel_attacks/
[8] https://www.theregister.com/2025/07/31/silk_typhoon_attack_patents/
[9] https://www.theregister.com/2025/07/25/senator_mandiant_salt_typhoon_demands/
[10] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aK7XOjAeBIxAZGLNCQQjngAAAEY&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[11] https://whitepapers.theregister.com/