Chinese Threat Actors Target European Ministries and Embassies with HTML Smuggling in Smugx Campaign
The re-emergence of HTML smuggling can be linked to the global increase in remote work due to the pandemic lockdown. Attackers are utilizing this technique to bypass network inspection and analysis tools, delivering payloads directly to the endpoint. Traditional security solutions have difficulty detecting these payloads since they are built directly on the browser.
According to SOCRadar’s Analysts, a campaign has recently emerged and likely an extension of a prior campaign conducted by the RedDelta and Mustang Panda threat groups.
Targeted Sectors and Countries
The observed sectors targeted by the campaign include national security, international affairs, and public administration. The countries affected are the Czech Republic, Hungary, Slovakia, United Kingdom, Ukraine, France, and Sweden.
SmugX-related attacks have been observed since December 2022. The threat actors behind the campaign are using innovative distribution methods to propagate a variant of PlugX, a widely used implant associated with various Chinese threat actors. The campaign has been ongoing from 2021 and continues up to the present (2023).
The campaign has been attributed to the RedDelta and Mustang Panda threat groups based on identified links to a previously reported campaign.
The majority of the compromised documents contained diplomatic-related content originating from the Serbian embassy in Budapest, the Swedish Presidency, or Hungary’s Ministry of Foreign Affairs. Some of the content was directly related to China, indicating a specific focus in this regard.
Stay current on Threat Actor’s latest TTPs and campaigns with SOCRadar’s Cyber Threat Intelligence
These notes provide a concise overview of the SmugX campaign, including valuable insights into the campaign, threat actors behind it and their tactics, techniques and tools. While the information presented here serves as a solid introduction, for a deeper understanding and specific strategies, it is highly recommended to visit the campaign page on SOCRadar. By accessing this page, you will gain access to the most up-to-date and detailed information about the campaign, as well as invaluable insights into the active threat actors operating in the wild. Stay informed and empowered by delving into the latest updates and measures outlined on the SOCRadar campaign page.