Cyber Defense Advisors

New Chinese APT campaign found targeting European embassies

A China-based advanced persistent threat (APT) campaign has been targeting European government entities focused on foreign and domestic policies, according to research by Check Point.

The campaign, dubbed SmugX, uses HTML smuggling, a technique in which attackers hide malicious payloads inside HTML documents.

Active since December 2022, the campaign is likely a direct continuation of a previously reported campaign attributed to RedDelta and the Mustang Panda group, according to the Check Point report.

Campaign targeting European embassies

Check Point said it has been tracking the Chinese threat actor for two months and has concluded that it is targeting foreign and domestic policy entities as well as embassies in Europe.

“Combined with other Chinese based group’s activity previously reported by Check Point Research, this represents a larger trend within the Chinese ecosystem, pointing to a shift in target towards European entities, with a focus on their foreign policy,” the report added.

Apart from the UK, the campaign appears to be focused on Eastern European countries, including the Czech Republic, Slovakia, and Hungary. The goal of the campaign, as per Check Point’s assessment, is to “get a hold of sensitive information on the foreign policies of those countries.”

SmugX deploys evasive PlugX variant

The campaign uses new delivery methods (mostly HTML smuggling) to deploy a new variant of PlugX, an implant commonly associated with various Chinese threat actors.

Also known as Korplug or Sogu, PlugX is a remote access Trojan (RAT) that provides unauthorized access to a compromised system, allowing an attacker to control and monitor an infected machine remotely.

While the payload used in the campaign is similar to the ones found in older PlugX variants, the new delivery method has rendered lower detection rates and successful evasions.

“The way HTML Smuggling is utilized in the SmugX email campaign results in the download of either a JavaScript or a ZIP file. This leads to a long infection chain which results in PlugX infection of the victim,” the report said.

The lure themes identified by Check Point focused majorly on Eastern and Central European domestic and foreign policy entities, along with a few Western European references. Most of the documents contained diplomatic-related content, directly related to China or human rights in China. Among the most intended victims were diplomats and public servants in government entities.

Advanced Persistent Threats, Malware

Related Post

  • by
  • September 20, 2024

Europol Shuts Down Major Phishing Scheme Targeting Mobile

Law enforcement authorities have announced the takedown of an international criminal network that leveraged a phishing platform to unlock stolen

Cyber News
  • by
  • September 20, 2024

Passwordless AND Keyless: The Future of (Privileged) Access

In IT environments, some secrets are managed well and some fly under the radar. Here’s a quick checklist of what

Cyber News
  • by
  • September 20, 2024

Iranian APT UNC1860 Linked to MOIS Facilitates Cyber

An Iranian advanced persistent threat (APT) threat actor likely affiliated with the Ministry of Intelligence and Security (MOIS) is now

Cyber News
  • by
  • September 20, 2024

Chrome Users Can Now Sync Passkeys Across Devices

Google on Thursday unveiled a Password Manager PIN to let Chrome web users sync their passkeys across Windows, macOS, Linux,

Cyber News