Suspected Chinese cyber spies targeted Serbian aviation agency
A suspected China-linked cyber-espionage campaign has targeted a Serbian government department overseeing aviation, as well as other European institutions, according to new research from the cybersecurity firm StrikeReady.
The campaign began in late September with phishing emails sent to a Serbian government office. Further analysis uncovered similar malicious activity in Hungary, Belgium, Italy and the Netherlands.
Victims who clicked on links in the phishing emails were redirected to fake Cloudflare verification pages — a tactic often used to make malicious sites appear legitimate before delivering malware.
The decoy documents used in the campaign included files themed around European government business, such as a study plan from Serbia’s National Academy of Public Administration, a European Commission meeting agenda, and an invitation to the European Political Community summit.
StrikeReady said the attackers used the malware families Sogu, PlugX and Korplug — tools long associated almost exclusively with Chinese state-sponsored hackers. While the campaign has not been attributed to a specific group, researchers believe it is linked to China-nexus espionage operations.
Similar tools and tactics have been seen in other China-linked operations, according to StrikeReady. In August, Google researchers uncovered an espionage campaign attributed to the Chinese group UNC6384, which targeted diplomats in Southeast Asia using Sogu to steal data and execute remote commands. The hackers also deployed PlugX through decoy documents mimicking EU Council meeting agendas.
Earlier this year, U.S. authorities removed PlugX from thousands of infected American computers, accusing the Mustang Panda group of using it to steal information on behalf of Beijing.
Researchers said China-linked actors also used PlugX last year to spy on European healthcare organizations, and that PlugX infections were detected in more than 170 countries in 2024.
It remains unclear what information was accessed in the latest campaign reported by StrikeReady, or whether the attackers achieved their objectives.
Daryna Antoniuk
is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.