TZUTC: -0500
MSGID: 1453.consprcy@1:2320/105 2d15a111
PID: Synchronet 3.21a-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0
TID: SBBSecho 3.28-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0
BBSID: CAPCITY2
CHRS: ASCII 1
FORMAT: flowed
Google warns of Chinese state actor hack in real-time following alerts

Date:
Wed, 27 Aug 2025 16:57:00 +0000

Description:
UNC6384 is targeting diplomats in Southeast Asia and elsewhere with backdoors
and other malware.

FULL STORY

Google has issued a warning about a Chinese state-sponsored hacking attack
targeting users in real-time. 

The companys cybersecurity arm, the Google Threat Intelligence Group (GTIG),
published a new blog outlining how it saw evidence of a captive portal hijack
being used to deliver malware disguised as an Adobe Plugin update to targeted
entities. 

Apparently, this campaign is the work of a group known as UNC6384, a Chinese
state-sponsored actor, possibly tied to Silk Typhoon , a group known for
cyber-espionage campaigns against government, critical infrastructure, and
telco organizations in the West. The campaign, according to Google, targeted
diplomats in Southeast Asia, as well as other entities around the world.

Fake security updates

A captive portal is essentially a login page. It usually pops up on public
networks, such as on airports, or in coffee shops - right after connecting to
the network, but before gaining access to the public internet. Sometimes it
asks users to register an account, and sometimes viewing an ad and clicking
connect is enough to be granted access. 

Now, Google claims the Chinese compromised edge devices on those target
networks (routers, firewalls , VPN gateways, and the such), and then used the
instances to hijack the portals and redirect visitors to a malicious landing
page. 

Visitors are then prompted to download a security update for Adobe which is,
in fact, malware . The initial payload, an MSI package, installs stage-two
malware including CANONSTAGER and SOGU.SEC. The latter is a backdoor that
connects to the attacker-controlled C2 server and grants unabated access to
the target computer. 

Google first observed this attack in March this year and sent out alerts to
Gmail and Workspace users. 

Whenever China is accused of engaging in cyber-warfare against its 
adversaries in the West, it denies any involvement and repeats its stance 
that the US is the biggest cyber-bully right now.

======================================================================
Link to news story:
https://www.techradar.com/pro/security/google-warns-of-chinese-state-actor-hac
k-in-real-time-following-alerts

$$
--- SBBSecho 3.28-Linux
 * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)
SEEN-BY: 105/81 106/201 128/187 129/14 305 153/7715 154/110 218/700
SEEN-BY: 226/30 227/114 229/110 111 206 300 307 317 400 426 428 470
SEEN-BY: 229/664 700 705 266/512 291/111 320/219 322/757 342/200 396/45
SEEN-BY: 460/58 712/848 902/26 2320/0 105 304 3634/12 5075/35
PATH: 2320/105 229/426