A sophisticated cyber espionage campaign has emerged, targeting European diplomatic institutions and indicating a strategic escalation by the Chinese-affiliated threat actor known as UNC6384. This campaign leverages a specific vulnerability in the Windows shortcut (LNK) user interface—identified as ZDI-CAN-25373, which was first disclosed in March 2025—coupled with tailored social engineering tactics that mimic authentic diplomatic conferences.
Previously documented by Google’s Threat Intelligence Group, UNC6384 has a history of sustained attacks on diplomatic sectors, particularly in Southeast Asia. Recent research from Arctic Wolf Labs reveals that between September and October 2025, entities in Hungary, Belgium, and surrounding European nations have been specifically targeted through a newly evolved attack chain. Notably, the group’s operations have expanded to encompass core European diplomatic spheres, showcasing their tactical agility in quickly adopting exploits. Within just six months of the public disclosure of ZDI-CAN-25373, UNC6384 operationalized this flaw, employing spearphishing emails that contain URLs designed to initiate a multi-stage compromise.
The attack begins when victims engage with seemingly legitimate conference-themed LNK files related to meetings of the European Commission and NATO. These files exploit the Windows vulnerability to covertly execute obfuscated PowerShell commands, which extract and activate a malware-laden archive. The ultimate payload, PlugX, is a remote access trojan (RAT) known for its modularity and favored by various Chinese nexus APT groups.
Multi-Stage Attack Chain
The attack sequence pivots on the weaponized LNK file, which utilizes whitespace padding in its COMMANDLINEARGUMENTS to trigger the exploit. Once activated, the LNK file runs PowerShell to unpack a tar archive, yielding three core files: a legitimate Canon printer assistant executable, a malicious DLL, and an encrypted payload.
Exploiting the recognized Windows DLL search order for side-loading, the Canon binary—although digitally signed, features an expired certificate—loads the malicious DLL. This DLL subsequently decrypts and injects the PlugX payload into memory for stealth execution. PlugX enables a wide range of espionage activities, including command execution, file transfer, keylogging, and establishing persistence, all while camouflaging its presence within trusted processes.
Notably, the malware dynamically loads and resolves Windows API functions using obfuscated, runtime-resolved strings, employing anti-analysis techniques such as control-flow flattening and encryption to evade detection. Beyond spearphishing-derived delivery methods, Arctic Wolf Labs has noted UNC6384’s use of alternative vectors, including captive portal hijacking and background-HTA file execution, further underscoring the threat actor’s technical versatility. Their command and control (C2) infrastructure spans numerous domains that resemble legitimate services and is distributed across various regions, complicating efforts to dismantle their operations.
Strategic Impact and Recommendations
The European focus of this campaign highlights entities involved in cross-border policy, defense procurement, and multilateral coordination—areas of significant strategic interest to China. The malware creates a hidden directory in one of several possible locations within the user profile, copying all extracted files to maintain persistent access.
In light of the absence of a formal patch for ZDI-CAN-25373, organizations are advised to disable automatic LNK file resolution, block known C2 domains, and scrutinize the deployment of Canon printer utilities in unusual locations. The alignment of lure documents with actual events, such as EU-Western Balkans border meetings and NATO defense workshops, demonstrates an advanced understanding of diplomatic schedules, thereby increasing the likelihood of successful compromises.
Persistent PlugX infections allow adversaries to exfiltrate confidential documents, surveil policy discussions, and potentially manipulate or monitor diplomatic processes in real time. This not only poses immediate risks of data loss but also threatens long-term strategic disadvantages for targeted governments and organizations. Enhanced user training and continuous monitoring for DLL side-loading attacks are recommended, alongside proactive threat hunting for stealthy, memory-resident malware. This campaign exemplifies a paradigm shift in espionage tactics, blending advanced vulnerability exploitation with contextualized phishing to infiltrate high-value diplomatic networks. Organizations must prioritize robust defenses against rapidly evolving threat actors like UNC6384 to protect critical diplomatic and policy-making processes.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.