Check Point Research exposes a sophisticated targeted campaign executed by a Chinese threat actor, specifically focused on foreign and domestic policy entities, as well as embassies in Europe.
This campaign, code-named SmugX, reveals a significant shift in the Chinese ecosystem’s targeting strategy, with a particular emphasis on European entities and their foreign policies.
Utilizing a technique called HTML Smuggling, the attackers hide malicious payloads within HTML documents to infiltrate their targets.
CPR’s analysis of this campaign suggests that the primary objective is to acquire sensitive information concerning the foreign policies of European countries, with a notable focus on Eastern European nations such as the Czech Republic, Slovakia, and Hungary.
The SmugX campaign, which has been active since at least December 2022, appears to be a continuation of previous activity attributed to Chinese APT actors RedDelta and Mustang Panda.
How the attacks work
The attackers have adopted new delivery methods, including HTML Smuggling, to deploy a variant of PlugX, a well-known implant associated with various Chinese threat actors.
By utilizing these new delivery methods, the campaign has evaded detection with low detection rates, allowing it to operate stealthily.
This highly targeted campaign primarily focuses on European governmental entities, primarily in Eastern and Central Europe. The lure themes observed by CPR’s researchers revolve around domestic and foreign policies of European countries, and the documents used in the campaign contain diplomatic-related content.
Some of these documents directly address China and human rights issues in the country.
The filenames of the archived files used to lure victims strongly suggest that diplomats and public servants within the targeted government entities were the intended victims. Examples of these filenames include;
This research by CPR sheds light on the Chinese APT’s compelling shift towards persistent targeting of European government entities.
The SmugX campaign is indicative of a broader trend where Chinese threat actors are increasingly focusing on European targets, especially within the governmental sector.
Specifically, Check Point Threat Emulation provides protection against APT.Wins.MustangPanda.AP, while Harmony Endpoint safeguards against APT.Win.PlugX.O, APT.Win.PlugX.Q, and APT.Win.PlugX.R.