Chinese Cyber Espionage Group UNC6384 Exploits Windows Shortcut Vulnerability to Target European Diplomats
In a series of sophisticated cyber attacks between September and October 2025, a China-affiliated threat actor known as UNC6384 has been identified exploiting an unpatched Windows shortcut vulnerability to infiltrate European diplomatic and government entities. The targeted organizations include diplomatic bodies in Hungary, Belgium, Italy, and the Netherlands, as well as government agencies in Serbia.
The attack campaign commenced with spear-phishing emails containing embedded URLs. These links initiated a multi-stage attack chain, ultimately delivering malicious LNK (shortcut) files. These files were cleverly themed around European Commission meetings, NATO-related workshops, and multilateral diplomatic coordination events, making them appear legitimate and relevant to the recipients.
The malicious LNK files exploited a vulnerability tracked as ZDI-CAN-25373, allowing the attackers to execute hidden commands on the victim’s machine. This exploitation led to the deployment of the PlugX malware, also known as Destroy RAT, Kaba, Korplug, SOGU, and TIGERPLUG. PlugX is a remote access trojan (RAT) that provides comprehensive control over infected systems, enabling activities such as command execution, keylogging, file manipulation, and extensive system reconnaissance.
UNC6384 shares tactical and tooling similarities with another hacking group known as Mustang Panda. Both groups have been observed delivering memory-resident variants of PlugX, such as SOGU.SEC, indicating a possible overlap in their operational methodologies.
The attack sequence involved the following steps:
1. Phishing Email Delivery: The target receives an email with a link to a malicious LNK file disguised as a document related to diplomatic events.
2. LNK File Execution: Upon clicking the link, the LNK file executes a PowerShell command that decodes and extracts the contents of a TAR archive.
3. Decoy Document Display: Simultaneously, a decoy PDF document is displayed to the user to minimize suspicion.
4. Malware Deployment: The extracted archive contains three components:
– A legitimate Canon printer assistant utility.
– A malicious DLL named CanonStager, which is sideloaded by the legitimate utility.
– An encrypted PlugX payload (cnmplog.dat) that is launched by the CanonStager DLL.
Once deployed, PlugX establishes persistence on the infected system by modifying Windows Registry settings. It also employs various anti-analysis and anti-debugging techniques to evade detection and analysis.
The exploitation of ZDI-CAN-25373 by UNC6384 underscores the persistent threat posed by state-sponsored cyber espionage groups. Organizations, especially those in the diplomatic and governmental sectors, are advised to implement robust cybersecurity measures, including regular software updates, employee training on phishing tactics, and the deployment of advanced threat detection systems.
