Google Warns of Cyber Espionage Targeting Diplomats

The Google Threat Intelligence Group (GTIG) reported on Monday that hackers linked to the Chinese government are executing “complex and multifaceted campaigns” aimed at diplomats in Southeast Asia and globally.

According to GTIG, this activity is likely aligned with the cyber espionage goals of the People’s Republic of China (PRC).

The recent cyber operations included a “Captive Portal Redirect,” infecting targeted computer systems with “digitally signed downloaders.” These downloads inadvertently installed spyware on victims’ computers.

In simpler terms, hackers tricked victims into visiting compromised websites that carried out two-stage malware attacks. Initially, users believed they were downloading legitimate browser plugins, which actually introduced a backdoor virus known as SOGU.SEC into their systems. Essentially, while individuals thought they were enhancing their software, they were, in fact, welcoming a virus.

GTIG identified the attack by tracing a “redirect chain” leading to suspicious sites controlled by hackers, which were disguised as trusted domains. One key aspect of the investigation was the initial attack that manipulated a targeted WiFi router to redirect users to a malicious site. When Google security specialists started looking into the cyber espionage case in March 2025, they couldn’t spot this critical first move.

GTIG has pinpointed a PRC-linked hacker group called UNC6384 as being behind these actions. Some of the websites involved in this espionage scheme are managed by this entity. They utilized highly sophisticated code cleverly concealed by exploiting legitimate features of Microsoft Windows, allowing them to trick victims into installing malware and hiding within previous attacks.

The report concluded that this incident highlights the evolving capabilities of UNC6384 and the sophistication of PRC-linked cyber operatives.

Patrick Wheitzel, a Senior Security Engineer at Google, noted in Bloomberg that around “20 victims” were found to have malware, predominantly affecting diplomats in Southeast Asia. Though Wheitzel didn’t disclose the specific nationalities of the targeted diplomats, he expressed confidence that the actors behind this were “aligned with China.”

“I think diplomats often handle sensitive documents on the laptops they use for their work. So, if you access that device, you’re likely to come across those documents,” he remarked.

The “UNC” designation signifies a threat actor that has yet to be fully identified. UNC6384 shares some tactical similarities with a Chinese hacking group called “Mustang Panda,” which goes by various aliases, including “Temp.hex” and “Bronze President.”

The malware used in the second phase of the attacks against Southeast Asian diplomats first emerged in 2008 and has become a favored tool among Chinese hackers.

Another clue pointing to the hackers’ identity is the downloader used in the initial attack. It bore a digital signature from Chengdu Nuoxin Times Technology Co. Ltd., a Chinese firm, which often misleads systems into viewing the software as safe.

In the past two years, GTIG documented at least 25 malware incidents—most associated with hackers tied to the Chinese government. They’ve scrutinized two earlier large-scale cyber espionage campaigns that employed malware similarly signed, suggesting UNC6384 may have been responsible for both.

“How these actors acquire these certificates remains a mystery,” GTIG noted. “The organization that issued the certificate could be a victim of a breach concerning code-signing materials, or they might be complicit or acting as front companies promoting cyber espionage.”