Skip to content

Chinese is using SmugX campaign to target Europe: Report

  • by
  • 4 min read

Cybersecurity researchers at Check Point Research (CPR) uncovered a targeted campaign carried out by Chinese threat actors, referred to as SmugX, that is specifically targeting government entities in Europe, with a targeted focus on foreign and domestic policy organisations.

The campaign has been active since at least December 2022 and represents a larger trend in the Chinese ecosystem of shifting their focus to European entities, noticed the CPR researchers.

The SmugX campaign employs an advanced technique called HTML Smuggling to target government entities primarily located in Eastern Europe. This operation is likely a direct continuation of a previously reported campaign attributed to RedDelta, as well as to some extent, Mustang Panda.

SmugX infection chain. | Source: Check Point Research

Through HTML Smuggling, hackers deploy a fresh variant of PlugX, a well-known implant associated with various Chinese threat actors. Although the payload itself remains similar to previous PlugX versions, the adoption of novel delivery methods has resulted in low detection rates, allowing the campaign to operate under the radar until recently.

The lure themes used in the campaign heavily focus on European domestic and foreign policies, with documents containing diplomatic-related content. Some of the documents directly related to China, indicating a clear targeting strategy. The names of the archived files also suggest that diplomats and government entities were the intended victims.

Examples of lures uploaded to VirusTotal include:

  • A letter originating from the Serbian embassy in Budapest.
  • A document outlining the priorities of the Swedish Presidency of the Council of the European Union.
  • An invitation to a diplomatic conference issued by Hungary’s Ministry of Foreign Affairs.
  • An article highlighting the sentencing of two Chinese spies in Poland.

The campaign consists of two main infection chains, both originating from an HTML fine. One chain smuggles a ZIP archive containing a malicious LNK file that runs PowerShell, while the other chain uses JavaScript to download an MSI file from a remote server. The payloads dropped by these chains include hijacked legitimate executables, loader DLLs, and the PlugX malware itself.

PlugX malware explained

PlugX malware, a remote access tool (RAT) used by Chinese threat actors since 2008, allows attackers to carry out various malicious activities, such as file theft, screen captures, keystroke logging, and command execution.

To maintain persistence, the PlugX payload duplicates a legitimate program and its associated DLL, storing them in a hidden directory created by the malware. The encrypted payload is kept in a separate concealed folder. By adding the legitimate program to the Run registry key, the malware ensures it runs every time the system starts up.

The researchers note that in some instances within the campaign, certain PlugX payloads generate a deceptive lure in the form of a PDF file, which is written to the %temp% directory and subsequently opened. The document path is stored within the PlugX configuration under the field named document_name. However, it is important to note that the majority of samples in this campaign did not include the document_name field.

Source: Check Point Research

After the initial execution, which establishes persistence and copies the malware files to the designated directories, the malware executes itself once more. This time, it includes a parameter instructing it to exclusively communicate with the Command and Control server.

Notably, in this campaign, there has been an increased user of the RC4 encryption method compared to the simpler XOR decryption method observed in previous samples. The encrypted configuration remains in the data section, but the key is now added at the beginning of the configuration instead of being within the decryption function as in earlier samples.

While this campaign shares similarities with activity attributed to RedDelta and Mustang Panda, there is insufficient evidence to directly link it to the Camaro Dragon group. However, infrastructure indicators and deployment paths align with those previously associated with RedDelta and Mustang Panda, suggesting a connection.

China imposes one of the toughest surveillance systems in the world and has a reputation for cyber-attacking other countries.

In the News: TweetDeck affected by Twitter’s tweet reading limits

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: