• United States



Shweta Sharma
Senior Writer

New Chinese APT campaign found targeting European embassies

Jul 04, 20233 mins
Advanced Persistent ThreatsMalware

The China-based APT actor has been found using HTML smuggling to avoid detection.

trojan horse 96670445
Credit: Thinkstock

A China-based advanced persistent threat (APT) campaign has been targeting European government entities focused on foreign and domestic policies, according to research by Check Point.

The campaign, dubbed SmugX, uses HTML smuggling, a technique in which attackers hide malicious payloads inside HTML documents.

Active since December 2022, the campaign is likely a direct continuation of a previously reported campaign attributed to RedDelta and the Mustang Panda group, according to the Check Point report.

Campaign targeting European embassies

Check Point said it has been tracking the Chinese threat actor for two months and has concluded that it is targeting foreign and domestic policy entities as well as embassies in Europe.

"Combined with other Chinese based group's activity previously reported by Check Point Research, this represents a larger trend within the Chinese ecosystem, pointing to a shift in target towards European entities, with a focus on their foreign policy," the report added.

Apart from the UK, the campaign appears to be focused on Eastern European countries, including the Czech Republic, Slovakia, and Hungary. The goal of the campaign, according to Check Point's assessment, is to "get a hold of sensitive information on the foreign policies of those countries."

SmugX deploys evasive PlugX variant

The campaign uses new delivery methods (mostly HTML smuggling) to deploy a new variant of PlugX, an implant commonly associated with various Chinese threat actors.

Also known as Korplug or Sogu, PlugX is a remote access Trojan (RAT) that provides unauthorized access to a compromised system, allowing an attacker to control and monitor an infected machine remotely.

While the payload used in the campaign is similar to the ones found in older PlugX variants, the new delivery method has rendered lower detection rates and successful evasions.

"The way HTML Smuggling is utilized in the SmugX email campaign results in the download of either a JavaScript or a ZIP file. This leads to a long infection chain which results in PlugX infection of the victim," the report said.

The lure themes identified by Check Point focused mainly on Eastern and Central European domestic and foreign policy entities, along with a few Western European references. Most of the documents contained diplomatic-related content, directly related to China or human rights in China. Among the most intended victims were diplomats and public servants in government entities.