The China-based APT actor has been found using HTML smuggling to avoid detection. Credit: Thinkstock A China-based advanced persistent threat (APT) campaign has been targeting European government entities focused on foreign and domestic policies, according to research by Check Point. The campaign, dubbed SmugX, uses HTML smuggling, a technique in which attackers hide malicious payloads inside HTML documents. Active since December 2022, the campaign is likely a direct continuation of a previously reported campaign attributed to RedDelta and the Mustang Panda group, according to the Check Point report. Campaign targeting European embassies Check Point said it has been tracking the Chinese threat actor for two months and has concluded that it is targeting foreign and domestic policy entities as well as embassies in Europe. "Combined with other Chinese based group's activity previously reported by Check Point Research, this represents a larger trend within the Chinese ecosystem, pointing to a shift in target towards European entities, with a focus on their foreign policy," the report added. Apart from the UK, the campaign appears to be focused on Eastern European countries, including the Czech Republic, Slovakia, and Hungary. The goal of the campaign, according to Check Point's assessment, is to "get a hold of sensitive information on the foreign policies of those countries." SmugX deploys evasive PlugX variant The campaign uses new delivery methods (mostly HTML smuggling) to deploy a new variant of PlugX, an implant commonly associated with various Chinese threat actors. Also known as Korplug or Sogu, PlugX is a remote access Trojan (RAT) that provides unauthorized access to a compromised system, allowing an attacker to control and monitor an infected machine remotely. While the payload used in the campaign is similar to the ones found in older PlugX variants, the new delivery method has rendered lower detection rates and successful evasions. "The way HTML Smuggling is utilized in the SmugX email campaign results in the download of either a JavaScript or a ZIP file. This leads to a long infection chain which results in PlugX infection of the victim," the report said. The lure themes identified by Check Point focused mainly on Eastern and Central European domestic and foreign policy entities, along with a few Western European references. Most of the documents contained diplomatic-related content, directly related to China or human rights in China. Among the most intended victims were diplomats and public servants in government entities. Related content news analysis DHS unveils one common platform for reporting cyber incidents Ahead of CISA cyber incident reporting regulations, DHS issued a report on harmonizing 52 cyber incident reporting requirements, presenting a model common reporting platform that could encompass them all. By Cynthia Brumfield Sep 25, 2023 10 mins Regulation Regulation Regulation news Chinese state actors behind espionage attacks on Southeast Asian government The distinct groups of activities formed three different clusters, each attributed to a specific APT group. By Shweta Sharma Sep 25, 2023 4 mins Advanced Persistent Threats Cyberattacks feature How to pick the best endpoint detection and response solution EDR software has emerged as one of the preeminent tools in the CISO’s arsenal. Here’s what to look for and what to avoid when choosing EDR software. By Linda Rosencrance Sep 25, 2023 10 mins Intrusion Detection Software Security Monitoring Software Data and Information Security feature Top cybersecurity M&A deals for 2023 Fears of recession, rising interest rates, mass tech layoffs, and conservative spending trends are likely to make dealmakers cautious, but an ever-increasing need to defend against bigger and faster attacks will likely keep M&A activity steady in By CSO Staff Sep 22, 2023 24 mins Mergers and Acquisitions Data and Information Security IT Leadership Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe