A China-linked threat actor known as UNC6384 is said to be responsible for new attacks targeting diplomatic and government organizations in Europe by exploiting unpatched Windows shortcut vulnerabilities between September and October 2025.
Arctic Wolf said in a technical report released on Thursday that the operation targeted not only government institutions in Serbia, but also diplomatic institutions in Hungary, Belgium, Italy and the Netherlands.
“The attack chain begins with a spear-phishing email with an embedded URL and is the first of several stages leading to the delivery of malicious LNK files themed around European Commission meetings, NATO-related workshops, and multilateral diplomatic coordination events,” the cybersecurity firm said.
These files are designed to exploit ZDI-CAN-25373 to trigger a multi-step attack chain that ultimately leads to deployment of the PlugX malware using DLL sideloading. PlugX is a remote access Trojan horse also known as Destroy RAT, Kaba, Korplug, SOGU, and TIGERPLUG.
UNC6384 was the subject of a recent analysis by the Google Threat Intelligence Group (GTIG), which described it as a cluster with overlapping tactics and tools with the hacker group known as Mustang Panda. The attacker has been observed distributing a memory-resident variant of PlugX called SOGU.SEC.
The latest wave of attacks uses phishing emails with diplomatic enticements to lure recipients into opening fake attachments designed to exploit the ZDI-CAN-25373 vulnerability. The ZDI-CAN-25373 vulnerability has been exploited by multiple attackers since 2017 to execute hidden malicious commands on victim machines. Officially tracked as CVE-2025-9491 (CVSS score: 7.0).
The existence of this bug was first reported in March 2025 by security researchers Peter Girnus and Aliakbar Zahravi. A subsequent HarfangLab report found that the flaw was exploited by a cyber-espionage group known as XDSpy to distribute Go-based malware called XDigo in attacks targeting government agencies in Eastern Europe in March 2025.
At the time, Microsoft told The Hacker News that Microsoft Defender has detection capabilities to detect and block this threat activity, and Smart App Control provides an additional layer of protection by blocking malicious files from the internet.
Specifically, the LNK file is designed to launch a PowerShell command to decode and extract the contents of the TAR archive while simultaneously displaying a decoy PDF document to the user. This archive contains three files: a legitimate Canon Printer Assistant utility, a malicious DLL called CanonStager that is sideloaded using a binary, and an encrypted PlugX payload (‘cnmplog.dat’) launched by the DLL.
“The malware provides comprehensive remote access capabilities, including command execution, keylogging, file upload and download manipulation, persistence establishment, and extensive system reconnaissance capabilities,” Arctic Wolf said. “The modular architecture allows operators to extend functionality through plug-in modules tailored to specific operational requirements.”
PlugX also implements various anti-analysis techniques and anti-debug checks to counter efforts to unpack its internals and hide under the radar. Persistence is achieved by modifying the Windows registry.
Arctic Wolf said the size of CanonStager artifacts discovered in early September and October 2025 has steadily decreased from approximately 700KB to 4KB, indicating active development and evolution to a minimalist tool that can accomplish its goals without leaving much of a forensic footprint.
Additionally, in what is believed to be an improved malware delivery mechanism, UNC6384 was discovered in early September leveraging HTML application (HTA) files to load external JavaScript and retrieve malicious payloads from the cloudfront.[.]net subdomain.
“A campaign focused on European diplomatic institutions involved in defense cooperation, cross-border policy coordination, and multilateral diplomatic frameworks is consistent with China’s strategic intelligence requirements regarding European Union cohesion, defense initiatives, and policy coordination mechanisms,” Arctic Wolf concluded.
Source link
