Chinese APT Launches Spearphishing Campaign, Using Fake Cloudflare Lure to Deliver PlugX Malware
Ddos 
A new report from StrikeReady Labs has revealed a sophisticated spear-phishing campaign targeting European governmental and aviation sectors, with strong technical links to Chinese state-sponsored threat actors leveraging the PlugX (a.k.a. Sogu or Korplug) malware family.
The campaign began with a targeted spearphish against a Serbian government department involved in aviation, and quickly expanded to include other European nations, all lured through highly tailored phishing emails disguised as official communications.
According to StrikeReady’s analysts, the attack began with an email containing a link to a fake Cloudflare “Turnstile” verification page — a clever ruse to make victims believe they were solving a CAPTCHA-like challenge. The page used JavaScript-based obfuscation to conceal the URL leading to the next stage of the attack.
The report explains: “The landing page uses an easily sig-able mechanism to obfuscate the URL, which we will use for subsequent pivoting.” Analysts observed a sequence of decimal-encoded ASCII values that, when decoded using an XOR operation with key 23, resolved to:
The downloaded ZIP file, named “NAJU Plan Obuka OKTOBAR 2025.zip”, contained a malicious Windows shortcut file (LNK). Upon execution, the LNK triggered an obfuscated PowerShell command designed to carve and extract a secondary payload from within the same ZIP archive.
StrikeReady’s report decodes the PowerShell activity: “Roughly, this PowerShell command reads the bytes of the zip ‘NAJU Plan Obuka OKTOBAR 2025.zip’ … skipping 726 bytes and reading 1,984,000 bytes to write to %temp%\krnqdyvmlb.ta.”
The script then used tar extraction to unpack a directory labeled:
This folder contained three critical components:
- cnmpaui.exe – a legitimate Canon Printer Assistant binary.
- cnmpaui.dll – a malicious sideloaded DLL.
- cnmplog.dat – an auxiliary file used for configuration or persistence.
This pattern of DLL sideloading through legitimate executables is a long-standing hallmark of PlugX/Sogu-based operations.
Once executed, the malware displayed a decoy PDF document to mask malicious behavior — a common espionage tactic. Behind the scenes, the malware initiated an outbound connection to naturadeco.net, a command-and-control (C2) domain associated with prior Chinese cyber-espionage campaigns.
This confirmed that the operation’s intent was not financial gain, but intelligence collection. The researchers stated: “Only CN threat actors leverage the sogu/plugx/korplug toolset for live intrusions … the vast majority of the time it is espionage.”
Through malware pivoting and binary correlation, StrikeReady identified additional payloads linked to the same infrastructure and toolset. These included samples distributed through ZIP archives named after diplomatic or defense-related events — a thematic continuation of the social engineering tactics.
Examples include:
- Agenda_Meeting_26_Sep_Brussels.zip
- EPC_invitation_letter_Copenhagen_1-2_October_2025.zip
- JATEC_workshop_on_wartime_defence_procurement_(9-11_September).zip
Each file followed the same structure: a malicious LNK, a carved payload, and a decoy document. The C2 infrastructure used Azure-based domains (*.web.core.windows.net) — an increasingly common evasion strategy among Chinese threat actors who exploit cloud hosting platforms to blend in with legitimate traffic.
StrikeReady analysts also noted that the group reused previously known PlugX artifacts such as cnmpaui.dll and the accompanying .dat configuration file — components that have appeared across campaigns dating back to 2023. This consistency strongly aligns the campaign with known PRC-affiliated clusters, such as Mustang Panda or Earth Preta, which have used similar sideloading techniques.
Furthermore, similar artifacts were observed in older campaigns — for instance, malicious archives like проект бюджета.zip and CamScanner.zip, confirming the actor’s flexibility in using multilingual and region-specific lures.
Interestingly, newer versions of the campaign adopted a different file carving algorithm, seeking sequences of bytes (0x55 0x55 0x55 0x55) to extract and execute MSI installer payloads. This adaptive shift suggests ongoing development and refinement of their delivery chain.
StrikeReady writes: “This searches for four U (0x55) in a row, carves the MSI file, and runs it … connects to paquimetro.net — and down the rabbit hole we could go.”
This approach not only obfuscates payload extraction but also increases resilience against static detection by antivirus engines.
While StrikeReady did not name a specific APT group, the forensic and behavioral evidence points strongly toward a Chinese cyber-espionage nexus. Supporting research from other industry experts — including Google’s Threat Analysis Group, RevEng, and JamesWT — has also linked recent PlugX variants to PRC-aligned intelligence operations targeting European diplomats and defense institutions.
Related Posts:
- PlugX malware: The Enigma of Cyber Espionage Unveiled
- “PlugX” Malware Deleted from Thousands of Computers in Global Operation
- France Leads International Effort to Eradicate PlugX Trojan from 3,000 Systems
- Cisco Uncovers New PlugX Backdoor Linked to Chinese APTs
- Global Cyber Collaboration Takes Down PlugX Worm
Donate