SmugX: Targeting European Governmental Entities: Check Point Research

In the last couple of months, Check Point Research (CPR) has been tracking the activity of a Chinese threat actor targeting foreign and domestic policy entities as well as embassies in Europe. Combined with other Chinese based group’s activity previously reported by Check Point Research, this represents a larger trend within the Chinese ecosystem, pointing to a shift in target towards European entities, with a focus on their foreign policy. In this campaign, apart from the UK, most of the targeted countries are Eastern Europe countries like Czech Republic, Slovakia and Hungary, and as per our assessment, the goal of the campaign is to get ahold of sensitive information on the foreign policies of those countries.

The activity described in this report, utilizes HTML Smuggling to target foreign policy entities in Europe, focusing on Eastern Europe. HTML Smuggling is a technique in which attackers hide malicious payloads inside HTML documents.

This specific campaign has been active since at least December 2022, and is likely a direct continuation of a previously reported campaign attributed to RedDelta (and to the Mustang Panda group to some extent).

The campaign uses new delivery methods to deploy (most notably – HTML Smuggling) a new variant of PlugX, an implant commonly associated with a wide variety of Chinese threat actors. Although the payload itself remains similar to the one found in older PlugX variants, its delivery methods result in low detection rates and ‘successful’ evasions, which until recently helped the campaign fly under the radar.

The way HTML Smuggling is utilized in the SmugX email campaign results in the download of either a JavaScript or a ZIP file. This leads to a long infection chain which results in PlugX infection of the victim.