In an attack reminiscent of 2015’s DarkHotel, attackers are manipulating users into installing malicious plug-ins via co-opted hotel splash pages.

The malicious plug-ins provide attackers with the ability to exfil data, record keystrokes, and perform other various malicious activities on the victim’s computer.

Users are reminded that hotel splash pages, the login screen when you first connect to a hotel’s WiFi, do not ask you to install plug-ins. If it does, disconnect immediately and utilize your phone’s hotspot to connect to the internet.

For more information, visit UNC6384 Deploys PlugX via Captive Portal Hijacks and Valid Certificates Targeting Diplomats