A China-affiliated threat actor known as UNC6384 has been linked to a fresh set of attacks exploiting an unpatched Windows shortcut vulnerability to target European diplomatic and government entities between September and October 2025.
The activity targeted diplomatic organizations in Hungary, Belgium, Italy, and the Netherlands, as well as government agencies in Serbia, Arctic Wolf said in a technical report published Thursday.
“The attack chain begins with spear-phishing emails containing an embedded URL that is the first of several stages that lead to the delivery of malicious LNK files themed around European Commission meetings, NATO-related workshops, and multilateral diplomatic coordination events,” the cybersecurity company said.
The files are designed to exploit ZDI-CAN-25373 to trigger a multi-stage attack chain that culminates in the deployment of the PlugX malware using DLL side-loading. PlugX is a remote access trojan that’s also referred to as Destroy RAT, Kaba, Korplug, SOGU, and TIGERPLUG.
UNC6384 was the subject of a recent analysis by Google Threat Intelligence Group (GTIG), which described it as a cluster with tactical and tooling overlaps with a hacking group known as Mustang Panda. The threat actor has been observed delivering a memory-resident variant of PlugX called SOGU.SEC.
The latest attack wave uses phishing emails with diplomatic lures to entice recipients into opening a bogus attachment that’s designed to exploit ZDI-CAN-25373, a vulnerability that has been put to use by multiple threat actors as far back as 2017 to execute hidden malicious commands on a victim’s machine. It’s officially tracked as CVE-2025-9491 (CVSS score: 7.0)
The existence of the bug was first reported by security researchers Peter Girnus and Aliakbar Zahravi in March 2025. A subsequent report from HarfangLab found that the shortcoming has also been abused by a cyber espionage cluster known as XDSpy to distribute a Go-based malware called XDigo in attacks targeting Eastern European governmental entities in March 2025.
At that time, Microsoft told The Hacker News that Microsoft Defender has detections in place to detect and block this threat activity, and that Smart App Control provides an extra layer of protection by blocking malicious files from the Internet.
Specifically, the LNK file is designed to launch a PowerShell command to decode and extract the contents of a TAR archive and simultaneously display a decoy PDF document to the user. The archive contains three files: A legitimate Canon printer assistant utility, a malicious DLL dubbed CanonStager that’s sideloaded using the binary, and an encrypted PlugX payload (“cnmplog.dat”) that’s launched by the DLL.
“The malware provides comprehensive remote access capabilities including command execution, keylogging, file upload and download operations, persistence establishment, and extensive system reconnaissance functions,”…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
