Attack against Serbian aviation agency pinned on suspected Chinese cyberespionage hackers

Chinese threat actors are believed to have targeted a Serbian aviation agency with phishing attacks as part of a cyberespionage campaign that commenced late last month, reports The Record, a news site by cybersecurity firm Recorded Future. Malicious emails with European government business-themed lures have been leveraged by attackers to spread links redirecting to bogus Cloudflare verification pages, which facilitates the deployment of the PlugX, Sogu, and Korplug payloads associated with Chinese state-backed hackers, according to a report from StrikeReady. Attacks part of the same campaign were also observed in Italy, Belgium, Hungary, and the Netherlands. Such findings follow a Google report detailing Chinese threat group UNC6384's cyberespionage campaign against Southeast Asian diplomats involving the Sogu backdoor. Meanwhile, thousands of U.S. computers had PlugX removed in an operation led by the Justice Department and the FBI, which alleged the payload to have been used by the Mustang Panda operation for espionage.