Chinese Threat Actors Target Europe in SmugX Campaign

Written by

A malicious campaign by Chinese threat actors has been spotted targeting government entities in Europe, specifically focusing on foreign and domestic policy organizations.

The campaign, named “SmugX” and discovered by Check Point Research (CPR), employs HTML Smuggling, a technique in which malicious payloads are concealed within HTML documents to evade network-based detection measures.

The attacks, observed since at least December 2022, rely on novel delivery methods to deploy a variant of PlugX, a commonly used implant associated with various Chinese threat actors. 

Read more on PlugX: Black Basta Deploys PlugX Malware in USB Devices With New Technique

In an advisory published earlier today, CPR said using HTML Smuggling and other delivery techniques has resulted in low detection rates, allowing the campaign to remain under the radar until recently.

The lure themes of the campaign primarily revolve around European domestic and foreign policies, and the targets mainly include governmental ministries in Eastern Europe. The documents used as lures often contain China-related content, including diplomatic-related materials.

There are two main infection chains observed in the campaign. In one scenario, an HTML file smuggles a ZIP archive containing a malicious LNK file, while in the other scenario, a JavaScript file downloads and executes an MSI file from the attackers’ server. Both chains eventually led to the deployment of the PlugX malware.

According to CPR, the SmugX campaign exhibits similarities with previous activity attributed to Chinese APT actors RedDelta and Mustang Panda.

Additionally, while there are correlations between the SmugX campaign and the activities of the Camaro Dragon group, there is currently insufficient evidence to link them directly.

“While none of the techniques observed in this campaign is new or unique, the combination of the different tactics, and the variety of infection chains resulting in low detection rates, enabled the threat actors to stay under the radar for quite a while,” CPR wrote.

CPR added that the emergence of SmugX highlights a broader pattern observed among Chinese threat actors.

“The campaign [...] is part of a larger trend we’re seeing of Chinese threat actors shifting their focus to Europe.”

The CPR advisory comes weeks after China banned products sold by US chipmaker giant Micron, citing cybersecurity concerns.

What’s hot on Infosecurity Magazine?