{ "id": "10f631cc-b28c-4895-872f-7607a53a560a", "created_at": "2026-04-06T00:16:13.913051Z", "updated_at": "2026-04-10T13:12:14.20933Z", "deleted_at": null, "sha1_hash": "5ba7915bc3d8a63f078c0b08e92e0d68af5181c4", "title": "SmugX: Unveiling a Chinese-Based APT Operation Targeting European Governmental Entities: Check Point Research Exposes a Shifting Trend", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 45640, "plain_text": "SmugX: Unveiling a Chinese-Based APT Operation Targeting\r\nEuropean Governmental Entities: Check Point Research Exposes a\r\nShifting Trend\r\nBy matthewsu\r\nPublished: 2023-07-03 · Archived: 2026-04-05 17:31:12 UTC\r\nHighlights:\r\nCheck Point Research uncovers a targeted campaign carried out by a Chinese threat actor targeting foreign\r\nand domestic policies- focused government entities in Europe\r\nThe campaign leverages HTML Smuggling, a technique in which attackers hide malicious payloads inside\r\nHTML documents\r\nThe campaign, dubbed SmugX, overlaps with previously reported activity by Chinese APT actors\r\nRedDelta and Mustang Panda\r\nExecutive summary\r\nIn the last couple of months, Check Point Research (CPR) has been tracking the activity of a Chinese threat actor\r\ntargeting foreign and domestic policy entities as well as embassies in Europe. Combined with other Chinese based\r\ngroup’s activity previously reported by Check Point Research, this represents a larger trend within the Chinese\r\necosystem, pointing to a shift in target towards European entities, with a focus on their foreign policy. In this\r\ncampaign, apart from the UK, most of the targeted countries are Eastern Europe countries like Czech Republic,\r\nSlovakia and Hungary, and as per our assessment, the goal of the campaign is to get ahold of sensitive information\r\non the foreign policies of those countries.\r\nThe activity described in this report, utilizes HTML Smuggling to target foreign policy entities in Europe,\r\nfocusing on Eastern Europe. HTML Smuggling is a technique in which attackers hide malicious payloads inside\r\nHTML documents.\r\nThis specific campaign has been active since at least December 2022, and is likely a direct continuation of a\r\npreviously reported campaign attributed to RedDelta (and to the Mustang Panda group to some extent). The\r\ncampaign uses new delivery methods to deploy (most notably – HTML Smuggling) a new variant of PlugX, an\r\nimplant commonly associated with a wide variety of Chinese threat actors. Although the payload itself remains\r\nsimilar to the one found in older PlugX variants, its delivery methods result in low detection rates and ‘successful’\r\nevasions, which until recently helped the campaign fly under the radar.\r\nThe way HTML Smuggling is utilized in the SmugX email campaign results in the download of either a\r\nJavaScript or a ZIP file. This leads to a long infection chain which results in PlugX infection of the victim.\r\nLures \u0026 Targets\r\nhttps://blog.checkpoint.com/securing-user-and-access/smugx-unveiling-a-chinese-based-apt-operation-targeting-european-governmental-entities-check-point-research-exposes-a-shifting-trend/\r\nPage 1 of 3\n\nThe lure themes identified by our team are heavily focused on European domestic and foreign policies-governmental entities, and were used to target mostly governmental entities in Eastern and Central Europe.\r\nHowever, other western European countries were also referenced in the lures.\r\nSmugx submissions origins\r\nThe majority of the documents contained diplomatic-related content. In more than one case, the content was\r\ndirectly related to China and human rights in China.\r\nIn addition, the names of the archived files themselves strongly suggest that the intended victims were diplomats\r\nand public servants in these government entities.\r\nHere are a few examples of the names we identified:\r\nDraft Prague Process Action Plan_SOM_EN\r\n2262_3_PrepCom_Proposal_next_meeting_26_April\r\nComments FRANCE – EU-CELAC Summit – May 4\r\n202305 Indicative Planning RELEX\r\nChina jails two human rights lawyers for subversion\r\nSmugx - Archived Files\r\nSmugx - Archived Files\r\nConclusion\r\nIn this research, we analyzed a recent campaign which is highlighting the Chinese APT’s shift to persistent\r\ntargeting of European government entities. We identified multiple infection chains that employ the HTML\r\nSmuggling technique which leads to the deployment of the PlugX payload.\r\nThe campaign, dubbed ‘SmugX’, signifies a part of a larger trend we are seeing of Chinese threat actors shifting\r\ntheir focus to European entities, governmental ones in particular.\r\nCPR will continue monitoring the trends and will further report accordingly.\r\nCheck Point Software Customers remain protected against the threat described in\r\nthis research.\r\nCheck Point Threat Emulation and Harmony Endpoint provide comprehensive coverage of attack tactics, file-types, and operating systems and is protecting against the type of attacks and threats described in this report.\r\nCheck Point Threat Emulation:\r\nhttps://blog.checkpoint.com/securing-user-and-access/smugx-unveiling-a-chinese-based-apt-operation-targeting-european-governmental-entities-check-point-research-exposes-a-shifting-trend/\r\nPage 2 of 3\n\nAPT.Wins.MustangPanda.AP\r\nHarmony End Point\r\nAPT.Win.PlugX.O\r\nAPT.Win.PlugX.Q\r\nAPT.Win.PlugX.R\r\nSource: https://blog.checkpoint.com/securing-user-and-access/smugx-unveiling-a-chinese-based-apt-operation-targeting-european-government\r\nal-entities-check-point-research-exposes-a-shifting-trend/\r\nhttps://blog.checkpoint.com/securing-user-and-access/smugx-unveiling-a-chinese-based-apt-operation-targeting-european-governmental-entities-check-point-research-exposes-a-shifting-trend/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://blog.checkpoint.com/securing-user-and-access/smugx-unveiling-a-chinese-based-apt-operation-targeting-european-governmental-entities-check-point-research-exposes-a-shifting-trend/" ], "report_names": [ "smugx-unveiling-a-chinese-based-apt-operation-targeting-european-governmental-entities-check-point-research-exposes-a-shifting-trend" ], "threat_actors": [ { "id": "2ff375ef-7859-4d44-9399-06c9d1d9359c", "created_at": "2023-07-11T02:00:10.063244Z", "updated_at": "2026-04-10T02:00:03.367017Z", "deleted_at": null, "main_name": "SmugX", "aliases": [], "source_name": "MISPGALAXY:SmugX", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "aa90ad17-8852-4732-9dba-72ffb64db493", "created_at": "2023-07-11T02:00:10.067957Z", "updated_at": "2026-04-10T02:00:03.367801Z", "deleted_at": null, "main_name": "RedDelta", "aliases": [], "source_name": "MISPGALAXY:RedDelta", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "b5449533-0ff1-4048-999d-7d4bfd8e6da6", "created_at": "2022-10-25T16:07:24.114365Z", "updated_at": "2026-04-10T02:00:04.869887Z", "deleted_at": null, "main_name": "RedDelta", "aliases": [ "Operation Dianxun", "TA416" ], "source_name": "ETDA:RedDelta", "tools": [ "Agent.dhwf", "Agentemis", "Chymine", "Cobalt Strike", "CobaltStrike", "Darkmoon", "Destroy RAT", "DestroyRAT", "Gen:Trojan.Heur.PT", "Kaba", "Korplug", "PlugX", "Poison Ivy", "RedDelta", "SPIVY", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav", "cobeacon", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434573, "ts_updated_at": 1775826734, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5ba7915bc3d8a63f078c0b08e92e0d68af5181c4.pdf", "text": "https://archive.orkl.eu/5ba7915bc3d8a63f078c0b08e92e0d68af5181c4.txt", "img": "https://archive.orkl.eu/5ba7915bc3d8a63f078c0b08e92e0d68af5181c4.jpg" } }