Reach security professionals who buy.

850K+ monthly readers 72% have budget authority
Advertise on Breached.Company →

A Chinese state-sponsored threat actor has launched a calculated cyber espionage operation targeting European diplomatic entities, weaponizing a long-exploited Windows vulnerability that Microsoft has declined to patch.

Executive Summary

Between September and October 2025, the China-affiliated threat group UNC6384 executed a targeted cyber espionage campaign against diplomatic organizations across Hungary, Belgium, Italy, the Netherlands, and Serbian government agencies. The operation leveraged a critical Windows shortcut vulnerability (CVE-2025-9491, also tracked as ZDI-CAN-25373) to deliver the PlugX remote access trojan through highly sophisticated spear-phishing attacks themed around legitimate European Commission meetings and NATO workshops.

The campaign represents a significant escalation in UNC6384’s operational scope, marking the group’s expansion from traditional Southeast Asian targets to European diplomatic infrastructure. Security researchers at Arctic Wolf, who uncovered the operation, assess with high confidence that this activity aligns with People’s Republic of China strategic intelligence requirements concerning European alliance cohesion, defense initiatives, and multilateral policy coordination.

Threat Actor Profile: UNC6384

UNC6384, identified by Google’s Threat Intelligence Group, demonstrates significant tactical and tooling overlaps with the notorious Chinese APT group Mustang Panda (also tracked as TEMP.Hex, Bronze President, and Red Delta). The group has been actively conducting cyber espionage operations since at least 2012, primarily targeting government entities, non-governmental organizations, religious institutions, and diplomatic missions.

Key Characteristics:

  • Primary Motivation: Intelligence gathering aligned with PRC strategic interests
  • Historical Targets: Government agencies, NGOs, diplomatic entities, think tanks
  • Geographic Focus: Previously Southeast Asia; now expanding to Europe
  • Signature Malware: PlugX (SOGU.SEC variant), delivered via DLL side-loading
  • Attack Sophistication: Rapid vulnerability adoption, refined social engineering, multi-stage infection chains

The group’s rapid weaponization of CVE-2025-9491 within six months of public disclosure demonstrates exceptional operational agility and access to advanced capabilities typically associated with state-sponsored actors.

The Windows Vulnerability: CVE-2025-9491 (ZDI-CAN-25373)

At the heart of this campaign lies a deceptively simple but highly effective vulnerability in how Windows handles .LNK (shortcut) files.

Technical Details:

Vulnerability Type: User Interface Misrepresentation of Critical Information (CWE-451)

CVSS Score: 7.0-7.8 (High severity)

Attack Vector: Local execution requiring user interaction

Discovery Timeline:

  • First exploited in the wild as early as 2017
  • Initially identified by Zero Day Initiative (ZDI) as ZDI-CAN-25373
  • Reported to Microsoft by researchers Peter Girnus and Aliakbar Zahravi in September 2024
  • Publicly disclosed in March 2025
  • Assigned CVE-2025-9491 in August 2025

The Exploitation Mechanism:

The vulnerability exploits the COMMAND_LINE_ARGUMENTS structure within Windows shortcut files. Attackers craft malicious .LNK files with hidden command-line arguments padded with whitespace characters (spaces, tabs, line feeds, carriage returns). When a user inspects the shortcut file through Windows Explorer or the file properties dialog, the malicious commands remain invisible due to the UI misrepresentation.

Upon execution of the compromised shortcut, Windows passes these hidden arguments to the target application, resulting in arbitrary code execution in the context of the current user. This technique effectively bypasses both user scrutiny and many traditional security mechanisms.

Microsoft’s Controversial Decision:

Despite being informed of active exploitation by at least 11 state-sponsored threat groups from North Korea, Iran, Russia, and China, Microsoft determined the vulnerability “does not meet the bar for immediate servicing.” The company stated they would consider addressing it in a future feature release but provided no definitive timeline.

Microsoft’s rationale appears to stem from concerns about backward compatibility—patching this flaw could potentially break legacy applications that depend on the current .LNK file handling design. In lieu of a patch, Microsoft has emphasized that Defender detections are in place and Smart App Control provides additional protection by blocking malicious files from the internet.

This decision has drawn criticism from security researchers, particularly as evidence mounts showing the vulnerability’s continued exploitation across numerous high-profile campaigns targeting organizations in government, financial, telecommunications, military, and energy sectors worldwide.

Attack Chain Analysis

UNC6384’s operation against European diplomats represents a masterclass in multi-stage malware delivery, combining social engineering, legitimate infrastructure abuse, and advanced evasion techniques.

Stage 1: Initial Compromise - Spear-Phishing

The attack begins with carefully crafted spear-phishing emails containing embedded URLs. These emails leverage authentic diplomatic themes to establish credibility and encourage target engagement:

  • European Commission meeting agendas (e.g., “Meeting 26 Sep Brussels” regarding EU-Western Balkans border crossing facilitation)
  • NATO-related workshops on defense procurement and security cooperation
  • Multilateral diplomatic coordination events
  • European Political Community activities

The level of detail in these lures suggests the attackers possess intimate knowledge of diplomatic calendars, event themes, and the specific interests of targeted personnel. In several instances, the malicious files referenced actual scheduled meetings, lending authenticity to the social engineering component.

Stage 2: Malicious LNK Delivery

Recipients who click the embedded URLs are redirected through multiple stages, ultimately receiving a malicious .LNK file disguised as a legitimate document. These files exploit CVE-2025-9491 to execute hidden PowerShell commands while displaying a convincing decoy PDF to the victim.

When executed, the weaponized shortcut:

  • Invokes obfuscated PowerShell with hidden command-line arguments
  • Decodes and extracts a tar archive (e.g., “rjnlzlkfe.ta”) to %AppData%\Local\Temp
  • Displays a legitimate-looking decoy PDF to maintain the illusion of normalcy
  • Silently extracts three critical components from the archive

Stage 3: DLL Side-Loading

The extracted archive contains three carefully orchestrated components:

  • Legitimate Signed Executable: A genuine Canon printer assistant utility (cnmpaui.exe) with a valid digital signature
  • Malicious DLL Loader: A weaponized DLL (cnmpaui.dll) that exploits DLL search order hijacking
  • Encrypted PlugX Payload: The final malware payload (cnmplog.dat) in encrypted form

When the legitimate Canon executable runs, Windows’s DLL search order causes it to load the malicious DLL instead of the legitimate library. This technique, known as DLL side-loading, allows the attackers to execute malicious code under the cover of a trusted, signed application—significantly reducing detection probability.

Stage 4: PlugX Deployment

The malicious DLL decrypts and reflectively loads the PlugX remote access trojan directly into memory, avoiding disk-based detection mechanisms. Once active, PlugX establishes command-and-control communications with attacker infrastructure and provides comprehensive capabilities:

  • Remote command execution
  • File system access and manipulation
  • Credential harvesting
  • Screenshot capture
  • Keystroke logging
  • Lateral movement support
  • Persistent access maintenance

Alternative Delivery Method: HTA/JavaScript Chain

Arctic Wolf researchers also identified a refined delivery mechanism used in early September attacks. This variant leverages HTML Application (HTA) files that load external JavaScript from cloudfront[.]net subdomains. The JavaScript then retrieves and deploys the malicious payloads, adding another layer of indirection to complicate detection and attribution efforts.

Command-and-Control Infrastructure

UNC6384 deployed a distributed infrastructure designed for resilience and evasion:

Identified Domains:

  • racineupci[.]org
  • naturadeco[.]net
  • Multiple cloudfront[.]net subdomains for payload staging

The infrastructure demonstrates several sophisticated characteristics:

  • Legitimate Domain Appearance: C2 domains masquerade as benign websites
  • HTTPS Encryption: All communications encrypted to hinder network-based detection
  • Cloud Infrastructure Abuse: Leveraging legitimate CDN services (CloudFront) to blend malicious traffic with normal web activity
  • Geographic Distribution: Infrastructure spread across multiple jurisdictions to complicate takedown efforts

This approach reflects a mature understanding of defender capabilities and deliberate efforts to maximize operational longevity while minimizing detection risk.

Target Profile and Strategic Implications

Confirmed Targets:

  • Hungary: Diplomatic personnel
  • Belgium: Diplomatic organizations
  • Italy: Government and diplomatic entities
  • Netherlands: Diplomatic organizations
  • Serbia: Government aviation departments

Intelligence Collection Priorities:

The targeting pattern reveals clear alignment with Chinese strategic intelligence requirements:

  • European Alliance Cohesion: Monitoring discussions on EU unity and policy coordination
  • Defense Cooperation: Intelligence on NATO initiatives, defense procurement, and military cooperation frameworks
  • Cross-Border Policy Coordination: Insight into trade facilitation, border security, and multilateral agreements
  • EU-Western Balkans Relations: Understanding of expansion discussions and regional influence dynamics
  • Economic Policy: Access to discussions on sanctions, trade restrictions, and economic coordination

National Security Implications:

Successful compromise of diplomatic entities enables several high-impact intelligence collection activities:

  • Document Exfiltration: Access to classified or sensitive policy documents, negotiation positions, and strategic assessments
  • Real-Time Monitoring: Surveillance of ongoing policy discussions, decision-making processes, and internal deliberations
  • Credential Harvesting: Collection of authentication credentials for diplomatic networks and partner systems
  • Calendar Intelligence: Surveillance of diplomatic schedules, travel plans, and meeting participants
  • Long-Term Persistent Access: Establishment of footholds for sustained intelligence gathering operations

The breadth of targeting across multiple European nations within a compressed timeframe suggests either a large-scale coordinated intelligence collection operation or the deployment of multiple parallel operational teams with shared tooling but independent targeting mandates.

Evolution of the CanonStager Tool

Arctic Wolf researchers documented a notable evolution in the CanonStager component throughout the campaign:

  • Early September 2025: Initial samples approximately 700 KB in size
  • October 2025: Refined samples reduced to approximately 4 KB

This 99% size reduction indicates active development and optimization efforts. The evolution demonstrates UNC6384’s commitment to minimizing forensic footprints while maintaining operational effectiveness. The minimal tool design achieves its infection objectives while leaving significantly less evidence for incident responders to analyze.

Attribution Assessment

Arctic Wolf Labs assesses with high confidence that this campaign is attributable to UNC6384 based on multiple converging lines of evidence:

Malware Tooling:

  • Deployment of PlugX (SOGU.SEC variant) consistent with historical UNC6384 operations
  • DLL side-loading techniques matching established tradecraft
  • Use of Canon printer utilities as legitimate signed executables
  • Memory-resident malware deployment to evade disk-based detection

Tactical Procedures:

  • Spear-phishing with diplomatic lures
  • Multi-stage infection chains
  • Exploitation of Windows shortcut vulnerabilities
  • Use of legitimate infrastructure for payload delivery

Targeting Alignment:

  • Focus on diplomatic entities
  • Geographic expansion consistent with PRC strategic interests
  • Thematic focus on defense cooperation and policy coordination
  • Timeline correlation with key diplomatic events

Infrastructure Overlaps:

  • C2 domains consistent with previous UNC6384 campaigns
  • Use of CloudFront for payload staging
  • HTTPS-encrypted communications patterns

The tactical and tooling similarities with Mustang Panda further strengthen this attribution, with both groups demonstrating overlapping command-and-control infrastructure, PlugX variants, and DLL side-loading techniques aligned with Chinese state-sponsored cyber espionage objectives.

Detection and Mitigation Strategies

Immediate Actions:

1. Block Known IOCs: Deploy network-level blocks for identified infrastructure:

  • racineupci[.]org
  • naturadeco[.]net
  • Associated CloudFront subdomains documented in threat reports

2. Hunt for Indicators of Compromise: Search endpoint environments for:

  • cnmpaui.exe executing from non-standard user profile directories
  • Suspicious tar archive files in %AppData%\Local\Temp
  • Obfuscated PowerShell execution chains
  • Unexpected Canon printer utility processes
  • Registry persistence mechanisms (e.g., Run keys with suspicious entries)

3. Implement LNK File Restrictions: The primary defense against CVE-2025-9491 exploitation involves restricting .LNK file usage:

# Group Policy Configuration
Computer Configuration > Administrative Templates > Windows Components > File Explorer
- Configure policy: "Do not allow execution of unknown .lnk files from untrusted sources"

Consider implementing application control policies that:

  • Prevent execution of .LNK files from email attachments
  • Block .LNK files downloaded from external sources
  • Require administrative approval for shortcut file execution

4. Enhanced Email Security:

  • Implement advanced email filtering to detect and block suspicious .LNK files
  • Deploy URL reputation services to identify phishing infrastructure
  • Enable warnings for external emails containing attachments
  • Implement DMARC, SPF, and DKIM to prevent email spoofing

Detection Capabilities:

Endpoint Detection and Response (EDR): Deploy detection rules for:

  • DLL side-loading behavior
  • PowerShell obfuscation patterns
  • Memory-resident malware injection
  • Reflective DLL loading
  • Suspicious use of legitimate signed binaries

YARA Rules: Leverage YARA signatures provided by Arctic Wolf Labs to detect PlugX variants associated with this campaign. Scan both disk and memory for matching patterns.

Network Monitoring: Implement detection for:

  • Unusual HTTPS traffic patterns to newly registered domains
  • Large data transfers to suspicious destinations
  • C2 beacon patterns consistent with PlugX communications
  • DNS queries to known malicious infrastructure

Security Information and Event Management (SIEM): Create correlation rules for:

  • PowerShell execution with obfuscation
  • Scheduled task creation with deceptive names
  • Registry Run key modifications
  • Canon printer utility execution from user profile directories
  • tar.exe usage in suspicious contexts

Long-Term Defense Strategies:

1. User Training and Awareness: Conduct targeted security awareness training focusing on:

  • Recognition of sophisticated phishing attempts
  • Verification of unexpected attachments
  • Proper handling of diplomatic-themed communications
  • Reporting procedures for suspicious emails

Prioritize training for personnel with access to sensitive diplomatic or policy information, as they represent high-value targets for APT groups.

2. Privileged Access Management:

  • Implement least privilege principles
  • Deploy privileged access workstations (PAWs) for sensitive operations
  • Enforce multi-factor authentication for all accounts
  • Regularly audit and rotate credentials

3. Application Control: Deploy application allowlisting solutions that:

  • Prevent unauthorized executable execution
  • Restrict DLL loading to trusted locations
  • Block unsigned or suspicious scripts
  • Enforce code signing requirements

4. Network Segmentation:

  • Isolate diplomatic systems from general corporate networks
  • Implement zero-trust network architecture
  • Deploy micro-segmentation for critical systems
  • Monitor east-west traffic for lateral movement

5. Incident Response Preparation:

  • Develop and test incident response playbooks specific to APT scenarios
  • Establish communication protocols with intelligence agencies and CERT teams
  • Maintain offline backups of critical diplomatic communications
  • Conduct regular tabletop exercises simulating APT compromise

The Broader Context: State-Sponsored Exploitation of CVE-2025-9491

UNC6384’s exploitation of CVE-2025-9491 is far from an isolated incident. Since the vulnerability’s discovery, at least 11 distinct state-sponsored threat groups have actively weaponized it:

Known Exploitation:

  • North Korean APTs: Leveraging .LNK exploitation for cryptocurrency theft and intelligence gathering
  • Iranian Threat Groups: Targeting regional adversaries and Western organizations
  • Russian APTs: Deploying Remcos RAT and conducting operations against Ukraine
  • Chinese APTs: Multiple groups including XDSpy (delivering XDigo malware) and UNC6384

Victim Scope:

Organizations across multiple sectors have been affected:

  • Government agencies and diplomatic missions
  • Financial institutions (particularly cryptocurrency-related)
  • Telecommunications providers
  • Military and defense contractors
  • Energy sector organizations
  • Think tanks and NGOs

Geographic Distribution:

Confirmed victims span:

  • North America (predominantly US and Canada)
  • Europe (Eastern and Western)
  • Asia (Russia, South Korea, Vietnam, Taiwan, Mongolia)
  • South America
  • Australia

The widespread exploitation by diverse threat actors underscores the vulnerability’s significance and the urgent need for comprehensive mitigation strategies, particularly given Microsoft’s decision not to release a patch.

Lessons for Diplomatic and Government Organizations

Key Takeaways:

1. Unpatched Vulnerabilities Remain High Risk: The CVE-2025-9491 case demonstrates that even when vendors decline to patch vulnerabilities, sophisticated threat actors will continue exploitation. Organizations cannot rely solely on vendor patching and must implement layered defensive controls.

2. Social Engineering Remains Highly Effective: Despite advanced technical capabilities, UNC6384’s initial compromise vector relies on convincing spear-phishing. The use of authentic diplomatic themes, real event details, and proper terminology enables these attacks to bypass user skepticism.

3. Legitimate Infrastructure Abuse Complicates Detection: By leveraging signed executables, legitimate CDN services, and trusted file types, attackers can evade many traditional security controls. Defense strategies must account for this advanced tradecraft.

4. Rapid Vulnerability Adoption Requires Agile Defense: UNC6384 weaponized CVE-2025-9491 within six months of public disclosure. Organizations must maintain threat intelligence awareness and quickly implement compensating controls when patches are unavailable.

5. APT Operations Align with Geopolitical Events: The targeting of European diplomatic entities coincides with significant policy discussions on EU-Balkans relations, defense cooperation, and sanctions coordination. Organizations should anticipate heightened threat activity around sensitive diplomatic events.

Looking Forward: The UNC6384 Threat Trajectory

Operational Expansion:

UNC6384’s shift from Southeast Asian targets to European diplomatic entities suggests several possibilities:

  • Broadened Intelligence Priorities: PRC strategic interests increasingly focus on European alliance dynamics, defense initiatives, and economic policy
  • Regional Team Deployment: Establishment of new operational units with European focus while maintaining centrally developed tools
  • Increased Operational Tempo: Expansion of overall capacity enabling simultaneous multi-region campaigns

Technical Evolution:

The group demonstrates continuous refinement of tradecraft:

  • Rapid integration of newly disclosed vulnerabilities
  • Optimization of malware payloads for reduced forensic footprint
  • Diversification of delivery mechanisms (LNK, HTA, JavaScript chains)
  • Enhanced evasion through legitimate infrastructure abuse

Strategic Implications:

European diplomatic, government, and defense organizations should anticipate:

  • Continued and potentially escalated targeting
  • Additional vulnerability exploitation as new flaws are disclosed
  • More sophisticated social engineering leveraging real-time geopolitical developments
  • Sustained intelligence collection operations aligned with PRC strategic objectives

Conclusion

The UNC6384 campaign against European diplomats represents a sophisticated, well-resourced cyber espionage operation that exploits the intersection of unpatched software vulnerabilities, advanced social engineering, and legitimate infrastructure abuse. The threat actor’s rapid weaponization of CVE-2025-9491, combined with refined delivery mechanisms and proven persistence capabilities, demonstrates a mature APT capability aligned with Chinese state-sponsored intelligence requirements.

For European diplomatic and government organizations, this campaign serves as a stark reminder that nation-state threat actors possess both the technical sophistication and geopolitical motivation to conduct sustained intelligence collection operations. The absence of a vendor-provided patch for CVE-2025-9491 places additional responsibility on defenders to implement comprehensive compensating controls.

Organizations in the diplomatic, government, and defense sectors must prioritize:

  • Implementation of technical controls to mitigate unpatched vulnerabilities
  • Enhanced security awareness training for personnel with access to sensitive information
  • Deployment of advanced detection capabilities focused on APT tradecraft
  • Intelligence-driven threat hunting aligned with geopolitical developments
  • Preparation for sustained, sophisticated targeting by well-resourced adversaries

As geopolitical tensions persist and cyber espionage capabilities continue to advance, the threat landscape for diplomatic entities will only intensify. Proactive defense, informed by threat intelligence and aligned with organizational risk tolerance, remains the most effective strategy for protecting sensitive diplomatic communications and national security interests from state-sponsored cyber threats.

Indicators of Compromise (IOCs)

Malicious Domains:

  • racineupci[.]org
  • naturadeco[.]net

File Names:

  • cnmpaui.exe (Canon printer utility - legitimate but abused)
  • cnmpaui.dll (malicious DLL loader)
  • cnmplog.dat (encrypted PlugX payload)
  • rjnlzlkfe.ta (tar archive containing malware components)
  • Agenda_Meeting 26 Sep Brussels.lnk (example malicious shortcut)

File Paths:

  • %AppData%\Local\Temp\ (malware staging directory)
  • C:\Users\Public\Libraries\ (potential persistence location)

YARA Detection: Organizations should consult the full Arctic Wolf Labs technical report for comprehensive YARA rules specific to this campaign’s PlugX variant.

References and Further Reading

  • Arctic Wolf Labs: “UNC6384 Weaponizes ZDI-CAN-25373 Windows Vulnerability Against European Diplomats” (October 2025)
  • Google Threat Intelligence Group: “UNC6384 Threat Actor Profile”
  • Zero Day Initiative: “ZDI-CAN-25373 Technical Analysis” (March 2025)
  • Trend Micro: “Windows Shortcut Vulnerability Exploitation by State-Sponsored Groups”
  • CVE-2025-9491 National Vulnerability Database Entry
  • Microsoft Security Response Center: Statement on CVE-2025-9491

This analysis was prepared based on open-source intelligence and published security research. Organizations concerned about potential compromise should engage qualified incident response professionals and coordinate with relevant national cybersecurity agencies.

Threat Level: HIGH - Active exploitation by state-sponsored actors targeting diplomatic and government entities

CVSS Score: 7.0-7.8 (High)

Vulnerability Status: UNPATCHED - Compensating controls required