The latest research from the cybersecurity company Dream Security shows that a Chinese hacker group launched a phishing attack before and after Christmas, attempting to invade the devices of diplomats through spoofed U.S. policy briefings.
This cyber espionage operation mainly took place between the end of December 2025 and the middle of January 2026. CEO of Dream, Shalev Hulio, stated in an interview with Axios that this wave of attacks successfully infected “many people.”
“We are currently unable to determine the specific victims and the extent of the damage,” said Hulio.
According to Dream’s report in PDF format, this operation was launched by a Chinese-backed hacker group called “Mustang Panda” and used highly realistic fake U.S. diplomatic documents as bait, targeting officials from multiple countries involved in diplomacy, elections, and international coordination work.
The hackers did not exploit complex software vulnerabilities in this attack, but instead leveraged the trust diplomats have in “U.S. briefings.” They created sophisticated bait documents closely related to the geopolitical dynamics at the time, including notifications on the Kosovo Parliament elections, post-meeting reports of the U.S.-Adriatic Charter Partner Committee, concept documents for the 2nd Global Buddhist Conference (New Delhi), and diplomatic briefings between Cambodia and the U.S.
These documents mimicked the informal briefing style often released by the U.S. government after meetings or forums. Once victims opened the files, malicious components were loaded through techniques like DLL Side-loading by legitimate applications, allowing hackers to continue collecting sensitive data and maintaining access.
Technical analysis revealed that the operation deployed a malicious software named DOPLUGS, a variant of the PlugX trojan commonly used by Chinese hackers. PlugX is frequently employed in targeted attacks against diplomacy, government, military, policy, and international organizations.
The report indicated that DOPLUGS is streamlined in functionality, specifically used as a downloader, deliberately hiding numerous key code strings with multiple layers of obfuscation to increase the difficulty of analysis and tracking.
Artificial Intelligence (AI) tools were crucial in detecting this espionage activity. Hulio stated, “Chinese hackers are some of the most skilled attackers globally, adept at concealing themselves and operating stealthily beneath the radar, making them extremely difficult to detect.”
As attackers become increasingly covert and proficient in leveraging geopolitical events, AI automated detection is becoming a key defense mechanism for governments worldwide to intercept complex espionage activities.