Chinese Hackers Exploit Windows LNK Vulnerability to Target European Diplomats
A sophisticated cyber espionage campaign has been identified, targeting European diplomatic entities across Hungary, Belgium, Serbia, Italy, and the Netherlands. The Chinese-affiliated threat actor, designated UNC6384, has been actively exploiting a critical zero-day vulnerability in Windows shortcut (LNK) files to infiltrate these organizations.
Campaign Overview
Between September and October 2025, UNC6384 orchestrated a series of attacks leveraging the ZDI-CAN-25373 vulnerability, which was publicly disclosed in March 2025. This rapid adoption underscores the group’s agility and keen monitoring of emerging vulnerabilities.
The attack vector begins with meticulously crafted spear-phishing emails containing URLs that deliver malicious LNK files. These files are cleverly disguised as legitimate documents related to diplomatic conferences, referencing authentic European Commission meetings, NATO defense procurement workshops, and multilateral coordination events. This strategic use of familiar and credible themes increases the likelihood of recipients engaging with the malicious content.
Technical Exploitation Mechanism
The exploitation hinges on a flaw in Windows’ handling of shortcut files, allowing attackers to execute commands without user awareness. Specifically, the LNK files are crafted to exploit whitespace padding within the COMMAND_LINE_ARGUMENTS structure, effectively concealing malicious commands from the user interface.
Upon execution of the LNK file, the following sequence unfolds:
1. PowerShell Invocation: The shortcut silently triggers a PowerShell command designed to extract and decompress a tar archive embedded within the LNK file.
2. Payload Deployment: The extracted archive contains three critical components:
– Legitimate Executable: A digitally signed Canon printer utility, which serves as a decoy to avoid suspicion.
– Malicious DLL Loader: A dynamic link library designed to load the final payload.
– Encrypted PlugX Payload: The core remote access trojan (RAT) that facilitates unauthorized access and control.
3. DLL Side-Loading: The attack exploits the DLL side-loading technique, where the legitimate Canon executable searches for required libraries in its local directory. The malicious DLL is strategically placed in this directory, ensuring it is loaded preferentially over legitimate libraries.
4. Payload Decryption and Execution: Once loaded, the malicious DLL decrypts the PlugX payload using a hardcoded RC4 key and injects it directly into the memory space of the legitimate process. This method ensures the payload operates stealthily, evading traditional detection mechanisms.
Command and Control Infrastructure
The PlugX malware establishes encrypted HTTPS connections to command and control (C2) servers using randomized parameters. The infrastructure includes multiple redundant domains, such as racineupci[.]org and dorareco[.]net, enhancing the resilience and persistence of the attack.
To maintain long-term access, the malware creates hidden directories with names mimicking legitimate software (e.g., SamsungDriver) and modifies Windows registry Run keys. These actions ensure the malware’s persistence across system reboots and complicate detection and removal efforts.
Implications and Recommendations
This campaign exemplifies a high level of sophistication, combining zero-day vulnerability exploitation with advanced social engineering tactics. The targeting of European diplomatic entities indicates a strategic intent to gather sensitive information and intelligence.
Recommendations for Mitigation:
– Patch Management: Ensure all systems are updated with the latest security patches, particularly those addressing the ZDI-CAN-25373 vulnerability.
– Email Security: Implement advanced email filtering solutions to detect and block spear-phishing attempts.
– User Training: Conduct regular cybersecurity awareness training to educate staff on recognizing and avoiding phishing attacks.
– Endpoint Detection and Response (EDR): Deploy EDR solutions capable of identifying and mitigating suspicious activities associated with LNK file exploitation.
– Network Monitoring: Monitor network traffic for unusual patterns, such as unexpected encrypted connections to unfamiliar domains.
By adopting a comprehensive cybersecurity strategy that includes these measures, organizations can enhance their resilience against sophisticated threats like those posed by UNC6384.
