A China-based advanced persistent threat (APT) campaign has been targeting European government entities focused on foreign and domestic policies.
The campaign, dubbed SmugX, uses HTML smuggling, a technique in which attackers hide malicious payloads inside HTML documents.
Active since December 2022, the campaign is likely a direct continuation of a previously reported campaign attributed to RedDelta and the Mustang Panda group.
The Chinese threat actor is targeting foreign and domestic policy entities as well as embassies in Europe.
Apart from the UK, the campaign appears to be focused on Eastern European countries, including the Czech Republic, Slovakia, and Hungary. The goal of the campaign, according to Check Point’s assessment, is to “get a hold of sensitive information on the foreign policies of those countries.”
The campaign uses new delivery methods (mostly HTML smuggling) to deploy a new variant of PlugX, an implant commonly associated with various Chinese threat actors.
Also known as Korplug or Sogu, PlugX is a remote access Trojan (RAT) that provides unauthorized access to a compromised system, allowing an attacker to control and monitor an infected machine remotely.
While the payload used in the campaign is similar to the ones found in older PlugX variants, the new delivery method has rendered lower detection rates and successful evasions.
The lure themes identified by Check Point focused mainly on Eastern and Central European domestic and foreign policy entities, along with a few Western European references. Most of the documents contained diplomatic-related content, directly related to China or human rights in China. Among the most intended victims were diplomats and public servants in government entities.
From The Shadows Emerges Knowledge