Chinese Cyber-Espionage Targets Serbian Aviation Department
A suspected Chinese cyber-espionage campaign has targeted a Serbian government department overseeing aviation. The operation, which began in late September, employed tactics and tools similar to other China-linked operations.
The campaign used malware families Sogu, PlugX, and Korplug, all associated with Chinese state-sponsored hackers. Decoy documents themed around European government business were employed to lure targets. Phishing emails were sent to a Serbian government office, redirecting victims to fake Cloudflare verification pages upon clicking the links. Similar malicious activity was found in Hungary, Belgium, Italy, and the Netherlands.
The campaign has not been attributed to a specific group but is believed to be linked to China-nexus espionage operations. US authorities have previously removed PlugX from infected American computers, attributing it to the Mustang Panda group. Similar tools and tactics have been seen in other China-linked operations, such as the UNC6384 campaign targeting Southeast Asian diplomats.
The Serbian government aviation department was targeted in a suspected Chinese cyber-espionage campaign. The operation used sophisticated tactics and tools, with similar activity found in other European countries. While not attributed to a specific group, it is believed to be linked to China-nexus espionage operations.
