Image source: Pixabay

A recent campaign has been discovered to target diplomats in the EU. The attack involves the deploying of a malware known as PlugX is said to be targeting diplomatic establishments in Europe.

The attack which has recently discovered is said to be originating from China. 

According to Check Point Research (CPR), it is noted that the campaign has been on the lookout for since the past two months. Discovery made, detects that the campaign has been targeting foreign affair ministries and embassies in several European countries.

The report by CPR on July-03-2023 stated:

“This specific campaign has been active since at least December 2022, and is likely a direct continuation of a previously reported campaign attributed to RedDelta and also to Mustang Panda to an extent.”

It is discovered that the campaign utilized new delivery strategies notably HTML smuggling, in deploying a new variant of PlugX a RAT (Remote Access Tool) originating from China.

 CPR furthermore clarified:

“Although the payload itself remains similar to the one found in older PlugX variants, its delivery methods result in low detection rates, which until recently helped the campaign fly under the radar.”

HTML smuggling which isn’t a new threat method, however it involves the embedding of malicious files into HTML documents. This makes it easier for the bypassing network-based detection methods. It should be noted that Microsoft in its fight against threat actors has shutdown numerous means of sneaking malware into systems. Example of such steps is blocking macros by default in word documents.

HTML smuggling uses HTML5 attributes that are able to function offline. It stores the binary in an immutable payload of data within the JavaScript code. Upon launching via a web browser, the payload is then decoded into a file.


The campaign by SmugX which targets diplomatic persons and organizations, in various jurisdictions such as Slovakia, United Kingdom, Sweden, Ukraine, Czech, Hungary etc. uses a bait of diplomatic documents containing diplomatic related information’s.

The HTML smuggling then facilitates the downloading of Zip file or JavaScript unto the compromised device.  The Zip file usually contains a malicious LNK file, that executes PowerShell. If a JavaScript file is used, it downloads and executes MSI file from the attacker’s server.

In the past, it is known that PlugX malware employs DLL sideloading techniques, which executes legitimate programs, which then loads the malicious DLL after the Ink or MSI file drops the necessary files.  The DLL in turn decrypts the final payload which is the PlugX malware, which can be used to carry out a series of malicious activities on affected systems which includes keystroke logging, exfiltration, command execution, and screen grabbing.

The attacker in other to retain its persistence, a hijacked legitimate executable is downloaded during the infection stage. The PlugX payload then copies the legitimate program and the DLL, and then stores it in a hidden directory.  The persistence is achieved, by adding the legitimate program to the Run registry key.

 In summary, although PlugX still remains largely unchanged, from previous known existence, it has adopted one new form which is observed to be the RC4 encryption of the payload, which is totally different from the previously utilized XOR encryption.




Put your comments below in the comment section on your thoughts about this.

Find this article and information helpful? Show some love and support  “Click-Here”
5 1 vote
Article Rating
Notify of
Inline Feedbacks
View all comments