A China-affiliated threat actor known as UNC6384 has been linked to a fresh set of attacks exploiting an unpatched Windows shortcut vulnerability to target European diplomatic and government entities between September and October 2025.
The activity targeted diplomatic organizations in Hungary, Belgium, Italy, and the Netherlands, as well as government agencies in Serbia, Arctic Wolf said in a technical report published Thursday.
“The attack chain begins with spear-phishing emails containing an embedded URL that is the first of several stages that lead to the delivery of malicious LNK files themed around European Commission meetings, NATO-related workshops, and multilateral diplomatic coordination events,” the cybersecurity company said.
Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).
➤ Get Mullvad VPN with 12% Discount
The files are designed to exploit ZDI-CAN-25373 to trigger a multi-stage attack chain that culminates in the deployment of the PlugX malware using DLL side-loading. PlugX is a remote access trojan that’s also referred to as Destroy RAT, Kaba, Korplug, SOGU, and TIGERPLUG.
UNC6384 was the subject of a recent analysis by Google Threat Intelligence Group (GTIG), which described it as a cluster with tactical and tooling overlaps with a hacking group known as Mustang Panda. The threat actor has been observed delivering a memory-resident variant of PlugX called SOGU.SEC.
The latest attack wave uses phishing emails with diplomatic lures to entice recipients into opening a bogus attachment that’s designed to exploit ZDI-CAN-25373, a vulnerability that has been put to use by multiple threat actors as far back as 2017 to execute hidden malicious commands on a victim’s machine. It’s officially tracked as CVE-2025-9491 (CVSS score: 7.0)
The existence of the bug was first reported by security researchers Peter Girnus and Aliakbar Zahravi in March 2025. A subsequent report from HarfangLab found that the shortcoming has also been abused by a cyber espionage cluster known as XDSpy to distribute a Go-based malware called XDigo in attacks targeting Eastern European governmental entities in March 2025.
At that time, Microsoft told The Hacker News that Microsoft Defender has detections in place to detect and block this threat activity, and that Smart App Control provides an extra layer of protection by blocking malicious files from the Internet.
Specifically, the LNK file is designed to launch a PowerShell command to decode and extract the contents of a TAR archive and simultaneously display a decoy PDF document to the user. The archive contains three files: A legitimate Canon printer assistant utility, a malicious DLL dubbed CanonStager that’s sideloaded using the binary, and an encrypted PlugX payload (“cnmplog.dat”) that’s launched by the DLL.
“The malware provides comprehensive remote access capabilities including command execution, keylogging, file upload and download operations, persistence establishment, and extensive system reconnaissance functions,” Arctic Wolf said. “Its modular architecture allows operators to extend functionality through plugin modules tailored to specific operational requirements.”
PlugX also implements various anti-analysis techniques and anti-debugging checks to resist efforts to unpack its internals and fly under the radar. It achieves persistence by means of a Windows Registry modification.
Arctic Wolf said the CanonStager artifacts found in early September and October 2025 have witnessed a steady decline in size from approximately 700 KB to 4 KB, indicating active development and its evolution into a minimal tool capable of achieving its goals without leaving much of a forensic footprint.
Furthermore, in what’s being perceived as a refinement of the malware delivery mechanism, UNC6384 has been found to leverage an HTML Application (HTA) file in early September to load an external JavaScript that, in turn, retrieves the malicious payloads from a cloudfront[.]net subdomain.
“The campaign’s focus on European diplomatic entities involved in defense cooperation, cross-border policy coordination, and multilateral diplomatic frameworks aligns with PRC strategic intelligence requirements concerning European alliance cohesion, defense initiatives, and policy coordination mechanisms,” Arctic Wolf concluded.
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
Some parts of this article are sourced from:
thehackernews.com
China-Linked Tick Group Exploits Lanscope Zero-Day to Hijack Corporate Systems