Chinese Cyber Espionage: Unmasking the HTML Smuggling Technique


Published on Jul 3, 2023   —   2 min read

Behind Enemy Lines: The Stealthy Role of HTML in Chinese Cyber Attacks


Welcome, cybersecurity enthusiasts! Once again, we venture into the fascinating realm of cyberespionage, where the stakes are high and the techniques are ever-evolving. The spotlight today is on a novel and sophisticated cyberattack, tracing back to Chinese nation-state actors, involving the use of HTML smuggling to infiltrate European Foreign Affairs ministries and embassies with the PlugX remote access trojan.

HTML smuggling, you ask? Yes, indeed. It's a technique that leverages legitimate HTML5 and JavaScript features to assemble and launch malware. This stealthy method was adopted in the delivery of decoy documents attached to spear-phishing emails. This has resulted in a new variant of PlugX, an implant commonly associated with Chinese threat actors, being successfully deployed on compromised systems.

The SmugX Campaign

This campaign, aptly dubbed SmugX, has been active since December 2022. The group uses HTML smuggling to deliver a notorious remote access trojan, PlugX, onto compromised systems. Although the payload is similar to older PlugX variants, the innovative delivery methods have resulted in low detection rates, keeping the campaign largely undetected until recently.

HTML Smuggling: A Stealthy Technique

HTML Smuggling, a stealthy technique that abuses legitimate HTML5 and JavaScript features, is used to assemble and launch malware through the decoy documents attached to spear-phishing emails. As explained by cybersecurity firm Trustwave, HTML smuggling works offline by storing a binary in an immutable blob of data within JavaScript code. This embedded payload gets decoded into a file object when opened via a web browser.

Targets and Techniques

Documents designed for this campaign, which were uploaded to the VirusTotal malware database, specifically target diplomats and government entities in Czechia, Hungary, Slovakia, the U.K., Ukraine, and possibly France and Sweden​. In one instance, an Uyghur-themed lure was used to exfiltrate reconnaissance data. The multi-stage infection process leverages DLL side-loading methods to decrypt and launch the final payload, PlugX. This modular trojan, dating back to 2008, accommodates diverse plugins with distinct functionalities, enabling the operators to carry out file theft, screen captures, keystroke logging, and command execution.

The Threat Actor

The exact identity of the threat actor behind the operation is not fully clear, with existing clues suggesting a possible connection to Mustang Panda. However, overlaps are also shared with clusters tracked as Earth Preta, RedDelta, and Check Point's own designation Camaro Dragon. At this stage, there is "insufficient evidence" to definitively attribute it to the adversarial collective.


As we continue our journey through the intricate world of cybersecurity, the SmugX operation underscores the need for constant vigilance and proactive defense. The emergence of HTML smuggling as a potent threat vector challenges our understanding of cyber threat detection and response strategies.

In this ever-changing landscape, staying informed, updated, and prepared is our best line of defense. So let's keep our eyes open and our defenses strong, ensuring safety against the emerging threats of the cyber world.

Share on Facebook Share on Linkedin Share on Twitter Send by email

Subscribe to the newsletter

Subscribe to the newsletter for the latest news and work updates straight to your inbox, every week.