Undiplomatic Chinese threat actor attacks embassies and foreign affairs departments

Sneaky HTML smuggling signals MustangPanda shift towards Europe, Checkpoint charges

Infosec outfit Checkpoint says it's spotted a Chinese actor targeting diplomatic facilities around Europe.

Checkpoint has dubbed the campaign "SmugX" thanks to its use of HTML smuggling to deploy the PlugX remote access trojan.

James Webb Space Telescope

Oh no, that James Webb Space Telescope snap might actually contain malware


HTML smuggling is a method of attack that places malicious artefacts in a web page, so that they download when a human visits the site. It can be an effective attack because defenses don't focus on finding threats in traffic to browsers.

In this attack, infected sites deliver either a JavaScript or a ZIP file that contains a payload.

Checkpoint spotted downloads including:

  • A letter originating from the Serbian embassy in Budapest;
  • A document stating the priorities of the Swedish Presidency of the Council of the European Union;
  • An invitation to a diplomatic conference issued by Hungary's Ministry of Foreign Affairs;
  • An article about two Chinese human rights lawyers sentenced to more than a decade in prison.

Those documents were not what they seemed: clicking on the files set in train a process that installed the PlugX malware a victim machine, meaning attackers can gain access to that box. PlugX phones home using RC4 encryption to mask its output.

Checkpoint asserts that the lure documents listed above, and some tradecraft, suggest the aim of the attack is to find juicy info from inside embassies and departments of foreign affairs. The firm has seen the attack deployed in Ukraine, Czech Republic, Hungary, Slovakia, and the UK, with sideswipes on France and Sweden.

The campaign bears similarities to others conducted by China-linked APT groups RedDelta and Mustang Panda. Checkpoint recently linked the latter gang's activities to another China-adjacent campaign targeting European interests.

"SmugX is part of a larger trend we're seeing of Chinese threat actors shifting their focus to Europe," according to Checkpoint.

"While none of the techniques observed in this campaign is new or unique, the combination of the different tactics, and the variety of infection chains resulting in low detection rates, enabled the threat actors to stay under the radar for quite a while," the researchers wrote. Thankfully the PlugX payload has not change markedly, meaning detection and defense measures are known quantities. ®

More about


Send us news

Other stories you might like