A Chinese threat actor has been targeting Foreign Affairs ministries and embassies in Europe since at least December 2022 using a variant of the PlugX implant, a new report from Check Point Research says.

Dubbed “SmugX,” the campaign leverages a technique called HTML Smuggling, in which attackers hide malicious payloads inside HTML documents. Check Point says this campaign overlaps with previous attacks by Chinese state-sponsored groups RedDelta and Mustang Panda.

“Although those two correlate to some extent with Camaro Dragon, there is insufficient evidence to link the SmugX campaign to the Camaro Dragon group,” the researchers noted in a report.

The majority of the phishing lures used in the SmugX attacks contained diplomatic-related content. In more than one case, the content was directly related to China.

The researchers have observed two infection chains, “both of which originate from an HTML file that saves the second stage to the Download folder according to the victim’s browser settings. The second stage can vary, with one chain using a ZIP file that contains a malicious LNK file, and the other chain utilizes JavaScript to download an MSI file from a remote server.”

“Although the payload itself remains similar to the one found in older PlugX variants, its delivery methods result in low detection rates, which until recently helped the campaign fly under the radar,” Check Point said.

“While none of the techniques observed in this campaign is new or unique, the combination of the different tactics, and the variety of infection chains resulting in low detection rates, enabled the threat actors to stay under the radar for quite a while. As for PlugX, it also remained largely unchanged from previous appearances, although one new aspect observed is the adoption of RC4 encryption of the payload, which is a departure from the previously utilized XOR encryption,” the Israeli firm concluded.