China-Linked Hackers Exploit Windows Shortcut Flaw to Target European Diplomats - The Hacker News

China-Linked Hackers Exploit Windows Shortcut Flaw to Target European Diplomats Ravie LakshmananOct 31, 2025Malware / Threat Intelligence A China-affiliated threat actor known as UNC6384 has been linked to a fresh set of attacks exploiting an unpatched Windows shortcut vulnerability to target European diplomatic and government entities between September and October 2025. The activity targeted diplomatic organizations in Hungary, Belgium, Italy, and the Netherlands, as well as government agencies in Serbia, Arctic Wolf said in a technical report published Thursday. "The attack chain begins with spear-phishing emails containing an embedded URL that is the first of several stages that lead to the delivery of malicious LNK files themed around European Commission meetings, NATO-related workshops, and multilateral diplomatic coordination events," the cybersecurity company said. The files are designed to exploit ZDI-CAN-25373 to trigger a multi-stage attack chain that culminates in the deployment of the PlugX malware using DLL side-loading. PlugX is a remote access trojan that's also referred to as Destroy RAT, Kaba, Korplug, SOGU, and TIGERPLUG. UNC6384 was the subject of a recent analysis by Google Threat Intelligence Group (GTIG), which described it as a cluster with tactical and tooling overlaps with a hacking group known as Mustang Panda. The threat actor has been observed delivering a memory-resident variant of PlugX called SOGU.SEC. The latest attack wave uses phishing emails with diplomatic lures to entice recipients into opening a bogus attachment that's designed to exploit ZDI-CAN-25373, a vulnerability that has been put to use by multiple threat actors as far back as 2017 to execute hidden malicious commands on a victim's machine. It's officially tracked as CVE-2025-9491 (CVSS score: 7.0) The existence of the bug was first reported by security researchers Peter Girnus and Aliakbar Zahravi in March 2025. A subsequent report from HarfangLab found that the shortcoming has also been abused by a cyber espionage cluster known as XDSpy to distribute a Go-based malware called XDigo in attacks targeting Eastern European governmental entities the same month the flaw was publicly disclosed. At that time, Microsoft told The Hacker News that Microsoft Defender has detections in place to detect and block this threat activity, and that Smart App Control provides an extra layer of protection by blocking malicious files from the Internet. In the attacks flagged by Arctic Wolf, the LNK file is designed to launch a PowerShell command to decode and extract the contents of a TAR archive and simultaneously display a decoy PDF document to the user. The archive contains three files: A legitimate Canon printer assistant utility, a malicious DLL dubbed CanonStager that's sideloaded using the binary, and an encrypted PlugX payload ("cnmplog.dat") that's launched by the DLL. "The malware provides comprehensive remote access capabilities including command execution, keylogging, file upload and download operations, persistence establishment, and extensive system reconnaissance functions," Arctic Wolf said. "Its modular architecture allows operators to extend functionality through plugin modules tailored to specific operational requirements." PlugX also implements various anti-analysis techniques and anti-debugging checks to resist efforts to unpack its internals and fly under the radar. It achieves persistence by means of a Windows Registry modification. Arctic Wolf said the CanonStager artifacts found in early September and October 2025 have witnessed a steady decline in size from approximately 700 KB to 4 KB, indicating active development and its evolution into a minimal tool capable of achieving its goals without leaving much of a forensic footprint.  Furthermore, in what's being perceived as a refinement of the malware delivery mechanism, UNC6384 has been found to leverage an HTML Application (HTA) file in early September to load an external JavaScript that, in turn, retrieves the malicious payloads from a cloudfront[.]net subdomain. "The campaign’s focus on European diplomatic entities involved in defense cooperation, cross-border policy coordination, and multilateral diplomatic frameworks aligns with PRC strategic intelligence requirements concerning European alliance cohesion, defense initiatives, and policy coordination mechanisms," Arctic Wolf concluded. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  cyber espionage, cybersecurity, data breach, European Union, Malware, Phishing, PlugX, Threat Intelligence, Vulnerability Trending News ThreatsDay Bulletin: PQC Push, AI Vuln Hunting, Pirated Traps, Phishing Kits and 20 More Stories FCC Bans New Foreign-Made Routers Over Supply Chain and Cyber Risk Concerns ⚡ Weekly Recap: CI/CD Backdoor, FBI Buys Location Data, WhatsApp Ditches Numbers and More New Perseus Android Banking Malware Monitors Notes Apps to Extract Sensitive Data FBI Warns Russian Hackers Target Signal, WhatsApp in Mass Phishing Attacks Trivy Security Scanner GitHub Actions Breached, 75 Tags Hijacked to Steal CI/CD Secrets TeamPCP Backdoors LiteLLM Versions 1.82.7–1.82.8 via Trivy CI/CD Compromise Apple Warns Older iPhones Vulnerable to Coruna, DarkSword Exploit Kit Attacks CISA Adds CVE-2025-53521 to KEV After Active F5 BIG-IP APM Exploitation China-Linked Red Menshen Uses Stealthy BPFDoor Implants to Spy via Telecom Networks Citrix Urges Patching Critical NetScaler Flaw Allowing Unauthenticated Data Leaks 54 EDR Killers Use BYOVD to Exploit 35 Signed Vulnerable Drivers and Disable Security TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files Coruna iOS Kit Reuses 2023 Triangulation Exploit Code in Recent Mass Attacks Citrix NetScaler Under Active Recon for CVE-2026-3055 (CVSS 9.3) Memory Overread Bug Google Adds 24-Hour Wait for Unverified App Sideloading to Reduce Malware and Scams Load More ▼ Popular Resources Detect AI-Driven Threats Faster With Full Network Visibility [Guide] Learn How to Govern AI Agents With Proven Market Guidance [Demo] Discover SaaS Risks and Monitor Every App in Your Environment SANS SEC401: Get Hands On Skills to Detect and Respond to Cyber Threats