Recent Cyber Attacks Target European Diplomacy
A China-affiliated threat actor, identified as UNC6384, has emerged as a significant player in a series of cyber attacks exploiting an unpatched Windows shortcut vulnerability. This recent wave of attacks has primarily targeted diplomatic and governmental entities across Europe, specifically in Hungary, Belgium, Italy, and the Netherlands, as well as government agencies in Serbia, according to a technical report from Arctic Wolf published on Thursday.
The attack strategy begins with spear-phishing emails that contain embedded URLs, leading to a multi-stage attack chain. These emails are cleverly crafted to appear relevant to European Commission meetings, NATO workshops, and other multilateral diplomatic events. The ultimate goal is to deliver malicious LNK files designed to exploit the vulnerability tracked as ZDI-CAN-25373, which has been associated with the deployment of PlugX malware through DLL side-loading.
PlugX, also known by various aliases including Destroy RAT, Kaba, Korplug, SOGU, and TIGERPLUG, is a remote access trojan that grants attackers extensive control over compromised systems. Recent analyses by the Google Threat Intelligence Group (GTIG) have linked UNC6384 to tactical overlaps with another hacking group, Mustang Panda, revealing a sophisticated network of cyber espionage.
The latest attacks utilize phishing emails with diplomatic themes to lure recipients into opening attachments that exploit the ZDI-CAN-25373 vulnerability. This flaw, officially designated as CVE-2025-9491 and rated with a CVSS score of 7.0, has been exploited by various threat actors since its discovery in March 2025 by researchers Peter Girnus and Aliakbar Zahravi. Notably, it has also been leveraged by the cyber espionage group XDSpy to distribute a Go-based malware called XDigo.
In response to these threats, Microsoft has indicated that Microsoft Defender includes detection capabilities to block such malicious activities, while Smart App Control offers an additional layer of protection against harmful files originating from the Internet.
The LNK file in question is engineered to execute a PowerShell command that decodes and extracts the contents of a TAR archive while simultaneously displaying a decoy PDF document to the user. This archive contains three components: a legitimate Canon printer assistant utility, a malicious DLL named CanonStager, and an encrypted PlugX payload referred to as “cnmplog.dat,” which is activated by the DLL.
According to Arctic Wolf, the PlugX malware provides a comprehensive suite of remote access functionalities, including command execution, keylogging, file operations, and system reconnaissance. Its modular design allows for the addition of plugin modules tailored to specific operational needs, enhancing its versatility.
Moreover, PlugX employs various anti-analysis techniques and anti-debugging measures to evade detection and maintain a low profile. Its persistence is achieved through modifications to the Windows Registry.
Arctic Wolf has observed a notable trend in the size of CanonStager artifacts, which have decreased from approximately 700 KB to a mere 4 KB between early September and October 2025. This reduction suggests an ongoing evolution of the tool, enabling it to accomplish its objectives with minimal forensic traces.
In a further refinement of its delivery mechanisms, UNC6384 has recently utilized an HTML Application (HTA) file to load external JavaScript, which retrieves malicious payloads from a cloudfront[.]net subdomain. This strategic focus on European diplomatic entities underscores the alignment with the People’s Republic of China’s intelligence objectives, particularly concerning European alliance cohesion and defense policy coordination.
