
Chinese Threat Actors Target European Ministries And Embassies With HTML Smuggling In Smugx Campaign
SmugXPlugXMustang PandaRed DeltaHTML Smuggling
SmugX-related attacks have been observed since December 2022. The threat actors behind the campaign are using innovative distribution methods to distribute a variant of PlugX, a widely used malware associated with various Chinese threat actors. Researchers are monitoring the campaign and have identified links to a previously reported campaign attributed to RedDelta and Mustang Panda.
Indicators of Compromise
mod.mmgpms.comSOCRadar2023-07-11
segtic.comSOCRadar2023-07-11
waxmm.comSOCRadar2023-07-11
jsj1.linuxupdate.infoSOCRadar2023-07-11
kvnit-prod.api.kochova.comSOCRadar2023-07-11
pingless.comSOCRadar2023-07-11
update.hilifimyanmar.comSOCRadar2023-07-11
qpodn31.isdmfu1.xyzSOCRadar2023-07-11
ftp.electrobist.comSOCRadar2023-07-11
mm.portomnail.comSOCRadar2023-07-11
mirros.microsoftcontents.comSOCRadar2023-07-11
qq.xxe.pwSOCRadar2023-07-11
api.microsoftlab.xyzSOCRadar2023-07-11
x.xxe.pwSOCRadar2023-07-11
api.wensente.xyzSOCRadar2023-07-11
d802f446.orgSOCRadar2023-07-11
portomnail.comSOCRadar2023-07-11
cxitsolution.comSOCRadar2023-07-11
mail.biateknos.comSOCRadar2023-07-11
polygons-stakes.siteSOCRadar2023-07-11
vividworld.netSOCRadar2023-07-11
www.jcswcd.comSOCRadar2023-07-11
static.adobe-cdn.orgSOCRadar2023-07-11
update.microupdate.xyzSOCRadar2023-07-11
worm.win32.pysis.smSOCRadar2023-07-11
exchange.portomnail.comSOCRadar2023-07-11
archivess.imangoim.netSOCRadar2023-07-11
9f78281a.orgSOCRadar2023-07-11
down-flash.comSOCRadar2023-07-11
lllllllllll.loseyourip.comSOCRadar2023-07-11
down1.linuxupdate.infoSOCRadar2023-07-11
dataanalyticsclub.comSOCRadar2023-07-11
dns.xxe.pwSOCRadar2023-07-11
quic.flashesplayer.comSOCRadar2023-07-11
down2.linuxupdate.infoSOCRadar2023-07-11
dl-flash.tkSOCRadar2023-07-11
liveweatherupdate.onlineSOCRadar2023-07-11
www.zlove.ccSOCRadar2023-07-11
openmd5.comSOCRadar2023-07-11
91ac64d2.netSOCRadar2023-07-11
static.tcplog.comSOCRadar2023-07-11
halldie.fitSOCRadar2023-07-11
microsoftcontents.comSOCRadar2023-07-11
protection.cloudSOCRadar2023-07-11
api.imango.inkSOCRadar2023-07-11
js.down-flash.comSOCRadar2023-07-11
download.hilifimyanmar.comSOCRadar2023-07-11
box.xxe.pwSOCRadar2023-07-11
q.xxe.pwSOCRadar2023-07-11
joyceyong.artSOCRadar2023-07-11
time.ntp-server.asiaSOCRadar2023-07-11
officecdn-microsoft-com.akamaixed.netSOCRadar2023-07-11
a.linuxupdate.infoSOCRadar2023-07-11
down.xxe.pwSOCRadar2023-07-11
www.linuxupdate.infoSOCRadar2023-07-11
sportsgross.comSOCRadar2023-07-11
cdn.imango.inkSOCRadar2023-07-11
exchange.openmd5.comSOCRadar2023-07-11
cerradoforte.comSOCRadar2023-07-11
linux.updatelive-oline.comSOCRadar2023-07-11
9f78281a.netSOCRadar2023-07-11
center.veryssl.orgSOCRadar2023-07-11
jcswcd.comSOCRadar2023-07-11
q2.xxe.pwSOCRadar2023-07-11
adobe-cdn.orgSOCRadar2023-07-11
fonts.google-au.gaSOCRadar2023-07-11
www.microsoftcontents.comSOCRadar2023-07-11
peek.openssl-digicert.xyzSOCRadar2023-07-11
fraudlabpros.atSOCRadar2023-07-11
back.rooter.tkSOCRadar2023-07-11
9f78281a.comSOCRadar2023-07-11
ns1.thorcom.netSOCRadar2023-07-11
help.tcplog.comSOCRadar2023-07-11
update.microsoftlab.topSOCRadar2023-07-11
clubfiveforpeace.coSOCRadar2023-07-11
music.nb-fk.comSOCRadar2023-07-11
help.down-flash.comSOCRadar2023-07-11
datetime.datetime.nowSOCRadar2023-07-11
quickconnect.ioSOCRadar2023-07-11
bahisaltv79.comSOCRadar2023-07-11
www.5xge.comSOCRadar2023-07-11
luyensex.clubSOCRadar2023-07-11
48b2137f.comSOCRadar2023-07-11
sempersim.suSOCRadar2023-07-11
mail.jackbarber.comSOCRadar2023-07-11
linux.down-flash.comSOCRadar2023-07-11
perwish.emailSOCRadar2023-07-11
abre.com.mySOCRadar2023-07-11
mayibeofservice.comSOCRadar2023-07-11
www.mmimchat.comSOCRadar2023-07-11
bankssy.comSOCRadar2023-07-11
travel.dianatokaji.comSOCRadar2023-07-11
mirros3.linuxupdate.infoSOCRadar2023-07-11
diary.lojjh.comSOCRadar2023-07-11
system.saveSOCRadar2023-07-11
kunpengs.xyzSOCRadar2023-07-11
docs.azureSOCRadar2023-07-11
tcplog.comSOCRadar2023-07-11
ns1.xxe.pwSOCRadar2023-07-11
codeforge.proSOCRadar2023-07-11
dach-loc.comSOCRadar2023-07-11
pricelulu.co.ukSOCRadar2023-07-11
quangdecalshop.comSOCRadar2023-07-11
pastor.cntcog.orgSOCRadar2023-07-11
mawuqiis.xyzSOCRadar2023-07-11
mail.divinecellcare.lkSOCRadar2023-07-11
91ac64d2.orgSOCRadar2023-07-11
xxe.linuxupdate.infoSOCRadar2023-07-11
q4.xxe.pwSOCRadar2023-07-11
subscribe.3gbling.comSOCRadar2023-07-11
apps.imangolm.comSOCRadar2023-07-11
www.myanmarnewsonline.orgSOCRadar2023-07-11
n2.xxe.pwSOCRadar2023-07-11
xxe.pwSOCRadar2023-07-11
jqueryllc.netSOCRadar2023-07-11
48b2137f.netSOCRadar2023-07-11
d802f446.netSOCRadar2023-07-11
update.ajaxrenew.comSOCRadar2023-07-11
b23q.xyzSOCRadar2023-07-11
d802f446.comSOCRadar2023-07-11
echoesdesing.comSOCRadar2023-07-11
images.myanmarnewsonline.orgSOCRadar2023-07-11
whneat.comSOCRadar2023-07-11
mini.ptipexcel.comSOCRadar2023-07-11
mail.xxe.pwSOCRadar2023-07-11
5avis.comSOCRadar2023-07-11
91ac64d2.comSOCRadar2023-07-11
48b2137f.orgSOCRadar2023-07-11
blackcreekbarns.comSOCRadar2023-07-11
yoursafepayments.comSOCRadar2023-07-11
dash.tcplog.comSOCRadar2023-07-11
akamaixed.netSOCRadar2023-07-11
microsoftfile.comSOCRadar2023-07-11
themomerator.comSOCRadar2023-07-11
secure.azureSOCRadar2023-07-11
txt.mm-film.comSOCRadar2023-07-11
lutanedukasi.co.idSOCRadar2023-07-11
linuxupdate.infoSOCRadar2023-07-11
googleanalyticstag.comSOCRadar2023-07-11
cdn.google-au.gaSOCRadar2023-07-11
coating.drrooter.comSOCRadar2023-07-11
nb-fk.comSOCRadar2023-07-11
xinhewood-cn.comSOCRadar2023-07-11
proxy.xxe.pwSOCRadar2023-07-11
chrome.down-flash.comSOCRadar2023-07-11
ns2.xxe.pwSOCRadar2023-07-11
gareloi-digit.comSOCRadar2023-07-11
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
REMEDIATIONS
We recommend the following remediation steps to the affected organization to reduce the risk of HTML smuggling.
Ensure Safe Links and Safe Attachments are implemented to provide real-time protection against HTML smuggling and other email threats. Specifically check for the following to detect malware-smuggling HTML attachments:
– An attached ZIP file contains JavaScript
– An attachment is password-protected
– An HTML file contains a suspicious script code
– An HTML file decodes a Base64 code or obfuscates a JavaScript
Ensure attack surface reduction rules block or audit activity associated with HTML smuggling.
The following rules can help:
– Block JavaScript or VBScript from launching downloaded executable content
– Block execution of potentially obfuscated scripts
– Block executable files from running unless they meet a prevalence, age, or trusted list criterion
Prevent JavaScript codes from executing automatically by changing file associations for .js and .jse files. This would certainly prevent the HTML smuggling, however, Javascript is indispensable for BC and therefore not a practical solution.
Check Office 365 email filtering settings to ensure they block spoofed emails, spam, and emails with malware. Use Microsoft Defender for Office 365 for enhanced phishing protection and coverage against new threats and polymorphic variants. Configure
Office 365 to recheck links on click and neutralize malicious messages that have already been delivered in response to newly acquired threat intelligence.
Check the perimeter firewall and proxy to restrict servers from making arbitrary connections to the internet to browse or download files. Such restrictions help inhibit malware downloads and command and control (C2) activity.
Turn on network protection to block connections to malicious domains and IP addresses.
Turn on cloud-delivered protection and automatic sample submission on Microsoft Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.
Educate users about preventing malware infections. Encourage users to practice good credential hygiene—limit the use of accounts with local or domain admin privileges and turn on Microsoft Defender Firewall to prevent malware infection and stifle propagation.
Reports & References1
Observed Countries7
CZ (914)
FR (660)
GB (450)
HU (144)
SE (101)
SK (576)
UA (766)