Security News > 2023 > July > Hackers target European government entities in SmugX campaign
A phishing campaign that security researchers named SmugX and attributed to a Chinese threat actor has been targeting embassies and foreign affairs ministries in the UK, France, Sweden, Ukraine, Czech, Hungary, and Slovakia, since December 2022.
The lures used in the SmugX campaign betray the threat actor's target profile and indicates espionage as the likely objective of the campaign.
One variant of the campaign delivers a ZIP archive with a malicious LNK file that runs PowerShell when launched, to extract an archive and save it into the Windows temporary directory.
The extracted archive contains three files, one being a legitimate executable from an older version of the RoboForm password manager that allowed loading DLL files unrelated to the application, a technique called DLL sideloading.
The second variant of the attack chain uses HTML smuggling to download a JavaScript file that executes an MSI file after downloading it from the attacker's command and control server.
The version that Check Point saw deployed in the SmugX campaign is largely the same as those seen in other recent attacks attributed to a Chinese adversary, with the difference that it used the RC4 cipher instead of XOR. Based on the details uncovered, Check Point researchers believe that the SmugX campaign shows that Chinese threat groups are becoming interested in European targets, likely for espionage.