Smugx targeted countries

SmugX: Chinese Hackers on the Hunt for European Secrets

SmugX – Chinese threat actors have been increasingly focused on targeting European governments, embassies, and foreign policy-making entities, particularly in Eastern European countries like Slovakia, the Czech Republic, and Hungary, says Check Point.

This campaign, known as SmugX, has been active since December 2022 and is believed to be an extension of previous campaigns associated with Chinese groups “Mustang Panda and RedDelta”.

SmugX targeted countries (Source: Check Point)

Objectives and Lure Samples

CPR researchers have identified that the primary objective of the SmugX campaign is to gather sensitive data on the foreign policies of targeted countries.

Lure samples posted on the malware repository on VirusTotal suggest that diplomats and government entities were the intended targets. The filenames of the lure samples hinted at the content related to China and the diplomatic affairs of the targeted countries.

names of the archived files (Source: Check Point)

HTML Smuggling and Modus Operandi

The SmugX campaign employs HTML smuggling as its attack method, hiding the modular PlugX malware implant within HTML documents.

This technique allows attackers to evade web security systems and bypass antivirus mechanisms.

Multiple Chinese threat actors have previously used the PlugX malware, targeting entities such as the Vatican, the Indonesian Intelligence Service, and users in various countries.

Attack Chains and Techniques

The SmugX campaign utilizes two infection chains that leverage HTML smuggling.

One variant involves a ZIP archive containing a malicious LNK file that executes PowerShell to extract and save files associated with the PlugX RAT.

The second variant uses HTML smuggling to download a JavaScript file that fetches an MSI file from the command and control server, ultimately leading to the execution of PlugX via DLL sideloading.


PlugX is a well-known remote access trojan (RAT) frequently utilized by Chinese APT groups.

It enables various malicious activities such as file exfiltration, keylogging, and command execution.

In the SmugX campaign, PlugX employs DLL sideloading and hides its presence by creating hidden directories, ensuring persistence through the modification of the ‘Run’ registry key.

Identified Documents

During the investigation, researchers obtained several documents used as lures, including a letter from the Serbian embassy in Budapest, a document revealing the priorities of the Swedish Presidency of the Council of the European Union, and an invitation from the Hungarian foreign ministry for a diplomatic conference.

Sample lure document (Source: Check Point)

Additionally, an article about two Chinese human rights lawyers was discovered.

These documents and their content clearly align with the targeted profile and espionage objectives of the SmugX campaign.

Ongoing investigation and monitoring by CPR researchers will provide further insights into the activities and techniques employed by the SmugX campaign.

For more news and updates on Cybersecurity, visit The Cybersecurity Club.

Post navigation

Leave a Reply

Your email address will not be published. Required fields are marked *

Cybercriminals Train AI Chatbots: Unveiling the FraudGPT And DarkBERT Menace

France Passes Bill Allowing Remote Phone Surveillance, Raising Privacy Concerns

CISA Issues Warning: Critical Vulnerabilities in Ivanti’s Endpoint Manager Mobile

Intellexa and Cytrox Spyware Vendors Cracks Down by U.S. Government