Chinese APT Spearphishing Campaign Using Fake Cloudflare Lures to Deploy PlugX Malware
Chinese state-sponsored threat actors have launched a sophisticated spearphishing campaign targeting government and aviation agencies across Europe, including a Serbian aviation agency. The attackers crafted malicious emails that appeared to be related to European government business, enticing recipients to click on links that redirected them to fraudulent Cloudflare verification pages. These fake pages were designed to deliver malware payloads, specifically PlugX, Sogu, and Korplug, which are commonly associated with Chinese cyberespionage groups. The campaign began in late September and has affected organizations in Serbia, Italy, Belgium, Hungary, and the Netherlands. Security researchers have attributed the activity to Chinese APTs, with some overlap in tactics and malware families used by groups such as Mustang Panda and UNC6384. The PlugX malware, a remote access trojan, enables attackers to exfiltrate sensitive data and maintain persistent access within compromised networks. The campaign's use of legitimate-looking Cloudflare lures increases the likelihood of successful credential harvesting and malware deployment. In response to the widespread use of PlugX, U.S. law enforcement, including the Justice Department and FBI, conducted operations to remove the malware from thousands of infected computers in the United States. The campaign demonstrates a high level of operational security, leveraging tailored phishing lures and multi-stage infection chains to evade detection. Security researchers have noted that the attackers continuously adapt their techniques, making use of current events and trusted brands to increase the credibility of their phishing emails. The deployment of multiple malware families in a single campaign suggests a broad espionage objective, targeting both information theft and long-term access. The campaign's cross-border nature highlights the global reach of Chinese cyberespionage operations. Organizations are advised to implement robust email filtering, user awareness training, and endpoint detection to mitigate the risk of similar attacks. The incident underscores the persistent threat posed by Chinese APTs to critical infrastructure and government entities worldwide. Ongoing analysis by cybersecurity firms continues to reveal new indicators of compromise and evolving tactics associated with this campaign. The use of PlugX and related malware remains a hallmark of Chinese cyberespionage, with attackers refining their delivery methods to bypass traditional security controls. The campaign's discovery has prompted increased collaboration between international law enforcement and private sector security teams to disrupt the threat and protect targeted organizations.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Attack on Serbian aviation agency attributed to suspected Chinese cyberespionage hackers
An attack against Serbia's aviation agency was publicly linked to suspected Chinese cyberespionage actors. The reporting ties the incident to the broader activity associated with the PlugX-delivering campaign.
Suspected Chinese APT launches PlugX spearphishing campaign with fake Cloudflare lure
A suspected Chinese cyberespionage group began a spearphishing campaign using a fake Cloudflare-themed lure to deliver PlugX malware to targets. The reporting indicates the operation was active by the time of publication, but no earlier specific start date is provided.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Phishing and Social Engineering Campaigns Leveraging Trusted Channels and China-Linked Tradecraft
Multiple reports highlight **social engineering-driven compromise** rather than exploitation of software vulnerabilities, with attackers relying on trusted-looking communications and infrastructure to bypass defenses. One campaign described by X-Labs uses a “clean” initial business email (often passing `SPF`/`DKIM`/`DMARC`) that contains **no direct malicious link**, instead delivering a **PDF attachment** that leads victims through a multi-stage document chain. The chain leverages reputable cloud services—including **Vercel Blob**—to host intermediary PDFs that redirect to a **Dropbox-impersonation** credential-harvesting page, and then uses a **Telegram bot** as a collection point for stolen credentials, complicating detection and takedown. Separately, researchers reported a targeted operation attributed to **China-linked Mustang Panda** (aka *HoneyMyte*) against government officials and diplomats, using **fake diplomatic briefing documents** themed as U.S./international policy updates to induce execution and install surveillance tooling, including **PlugX** (noted as a DOPLUGS variant). In parallel, U.S. reporting described **HUMINT-style recruitment approaches** tied primarily to China, where adversaries pose as recruiters/consulting firms on email and job platforms to elicit or purchase sensitive information from current/former U.S. government personnel—an espionage pathway that is adjacent to, but distinct from, the phishing/malware activity described in the other reporting.
Mar 21, 2026
UNC6384 Espionage Campaign Exploits Windows Shortcut Vulnerability Against European Diplomats
Chinese state-sponsored threat actor UNC6384 conducted a targeted cyber-espionage campaign against European diplomatic entities in Hungary, Belgium, Italy, the Netherlands, and Serbia during September and October 2025. The attackers exploited an unpatched Windows shortcut vulnerability (ZDI-CAN-25373), first disclosed in March 2025, to deliver the PlugX remote access trojan via spearphishing emails themed around European Commission meetings, NATO workshops, and multilateral diplomatic events. The campaign leveraged advanced social engineering, detailed knowledge of diplomatic calendars, and multi-stage malware delivery chains, including DLL side-loading through legitimate Canon printer utilities. Arctic Wolf Labs and other researchers attributed the activity to UNC6384, noting the group’s rapid adoption of public vulnerabilities and operational expansion from Southeast Asia to Europe. The campaign’s objectives included stealing sensitive defense and national security information, monitoring NATO and EU policy development, and assessing European military readiness and supply chain resilience. The attacks began with highly targeted phishing lures, leading to the exploitation of ZDI-CAN-25373 and subsequent deployment of PlugX, which enabled remote access, data theft, and further malware installation. The campaign highlights the ongoing risk posed by unpatched vulnerabilities and the increasing sophistication of Chinese cyber-espionage operations targeting Western diplomatic and governmental organizations.
Mar 21, 2026
TA416 Revives Espionage Against European Governments and NATO Missions
Proofpoint reported that China-aligned threat actor **TA416** resumed sustained cyberespionage against European government, diplomatic, and NATO-linked targets from mid-2025, ending a lull in its EU-focused activity. The campaign heavily targeted diplomatic missions to the **EU** and **NATO**, with lures tied to geopolitical issues including EU-China trade tensions, the Russia-Ukraine war, rare earth exports, humanitarian concerns, interview requests, collaboration proposals, and claims about Europe sending troops to Greenland. Researchers said the actor used reconnaissance-focused web bugs and phishing emails to profile victims before attempting malware delivery. The intrusion chains evolved repeatedly but consistently aimed to install a customized **PlugX** backdoor via **DLL sideloading**. Proofpoint observed fake Cloudflare Turnstile pages, abuse of Microsoft Entra ID OAuth redirects, and renamed MSBuild binaries paired with malicious C# project files, alongside updates to TA416's PlugX loader, persistence mechanisms, command-and-control protocol, and configuration encryption. The group also relied on re-registered domains, Cloudflare CDN masking, and VPS infrastructure, and in March 2026 expanded targeting to Middle Eastern diplomatic and government entities after conflict erupted in Iran, indicating intelligence collection driven by fast-moving geopolitical developments.
Apr 21, 2026