A China-affiliated cyber espionage group, tracked as UNC6384, has been discovered conducting a sophisticated campaign targeting European diplomatic and government entities. The attacks, occurring between September and October 2025, exploit an unpatched Windows shortcut vulnerability to deploy the notorious PlugX remote access trojan on victim systems.
Strategic Targeting of European Diplomacy
According to a technical report from Arctic Wolf, the campaign specifically zeroed in on diplomatic organizations in Hungary, Belgium, Italy, and the Netherlands, alongside government agencies in Serbia. The threat actors employed highly tailored spear-phishing emails as their initial entry point.
“The attack chain begins with spear-phishing emails containing an embedded URL that is the first of several stages that lead to the delivery of malicious LNK files,” Arctic Wolf stated. These files were cleverly themed around legitimate European Commission meetings, NATO-related workshops, and multilateral diplomatic coordination events to appear credible to the targets.
The Exploitation Chain: From LNK to PlugX
The core of the attack exploits a vulnerability known as ZDI-CAN-25373 (officially assigned CVE-2025-9491, CVSS score: 7.0). This Windows shortcut (.LNK) flaw has been a tool in the attacker’s arsenal since at least 2017, allowing them to execute hidden commands on a victim’s machine without their knowledge.
The multi-stage infection process is meticulously designed:
- A recipient clicks the link in the phishing email, which delivers a malicious LNK file.
- The LNK file executes a PowerShell command that decodes and extracts a TAR archive.
- To maintain stealth, a decoy PDF document related to the email’s theme is displayed to the user.
- The TAR archive contains three components:
- A legitimate Canon printer assistant utility.
- A malicious DLL loader named CanonStager.
- An encrypted PlugX payload file (
cnmplog.dat).
- The Canon binary is executed, which sideloads the malicious CanonStager DLL.
- The DLL then decrypts and executes the final PlugX payload.
The PlugX Payload and Evolving Tradecraft
PlugX is a full-featured remote access trojan (RAT), also known as Destroy RAT and Korplug. It provides attackers with comprehensive control over the infected machine.
“The malware provides comprehensive remote access capabilities including command execution, keylogging, file upload and download operations, persistence establishment, and extensive system reconnaissance functions,” Arctic Wolf explained. Its modular design also allows operators to load additional plugins for specific espionage tasks.
A key finding is the active development of the loader. The CanonStager artifact shrank dramatically from about 700 KB in early September to a mere 4 KB by October, indicating a refinement into a minimal, forensically stealthier tool.
UNC6384 has also been observed refining its delivery mechanism. In one instance from early September, they used an HTML Application (HTA) file to load an external JavaScript, which then retrieved the final payload from a cloudfront[.]net subdomain.
The Attacker Profile: UNC6384 and Chinese Espionage
Google Threat Intelligence Group (GTIG) has previously linked UNC6384 to the known China-linked threat actor Mustang Panda, noting overlaps in tactics and tools. This group has been known to use a memory-resident variant of PlugX called SOGU.SEC.
The targeting aligns with classic Chinese cyber espionage objectives. Arctic Wolf concluded, “The campaign’s focus on European diplomatic entities involved in defense cooperation, cross-border policy coordination, and multilateral diplomatic frameworks aligns with PRC strategic intelligence requirements concerning European alliance cohesion, defense initiatives, and policy coordination mechanisms.”
