A sophisticated cyber espionage campaign has recently come to light, targeting European diplomatic institutions and indicating a strategic escalation by the Chinese-affiliated threat actor known as UNC6384. This campaign exploits a vulnerability in the Windows shortcut (LNK) user interface—specifically, the ZDI-CAN-25373 flaw, first disclosed in March 2025. The threat actor employs tailored social engineering tactics that mimic authentic diplomatic conferences to enhance the effectiveness of their operations.
Previously documented by Google’s Threat Intelligence Group, UNC6384 has a history of consistently targeting diplomatic sectors, particularly in Southeast Asia. Recent research from Arctic Wolf Labs reveals that between September and October 2025, entities in Hungary, Belgium, and surrounding European nations have been specifically targeted through a newly evolved attack chain. The group’s operations have expanded, now encompassing core European diplomatic spheres.
The tactical agility of UNC6384 is evident in its rapid adoption of exploits. Within six months of the public disclosure of ZDI-CAN-25373, the group operationalized the flaw, utilizing spearphishing emails embedded with URLs that initiate a multi-stage compromise. The attack begins when victims interact with seemingly legitimate conference-themed LNK files related to meetings of the European Commission and NATO. These files exploit the Windows vulnerability to covertly execute obfuscated PowerShell commands, which extract and activate a malware-laden archive. The ultimate payload delivered is PlugX, a remote access trojan (RAT) known for its modularity and favored by various Chinese nexus APT groups.
Multi-Stage Attack Chain
The attack sequence is centered around the weaponized LNK file, which employs whitespace padding in its COMMANDLINEARGUMENTS to trigger the exploit. Once activated, the LNK file runs PowerShell to unpack a tar archive, yielding three core files: a legitimate Canon printer assistant executable, a malicious DLL, and an encrypted payload.
Utilizing the recognized Windows DLL search order for side-loading, the Canon binary—digitally signed but with an expired certificate—loads the malicious DLL, which subsequently decrypts and injects the PlugX payload into memory for stealth execution. PlugX facilitates extensive espionage activities, including command execution, file transfer, keylogging, and establishing persistence, all while camouflaging its presence within trusted processes.
Notably, the malware dynamically loads and resolves Windows API functions using obfuscated, runtime-resolved strings, employing anti-analysis measures such as control-flow flattening and encryption to evade detection. Beyond spearphishing-derived delivery methods, Arctic Wolf Labs has observed UNC6384’s use of alternative vectors, including captive portal hijacking and background-HTA file execution, further underscoring the threat actor’s technical versatility. Their command and control (C2) infrastructure spans numerous domains that resemble legitimate services and is distributed across various regions, complicating efforts to dismantle their operations.
Strategic Impact and Recommendations
The European focus of this campaign highlights entities involved in cross-border policy, defense procurement, and multilateral coordination—areas of significant strategic interest to China. The malware creates a hidden directory in one of several possible locations within the user profile, copying all extracted files to maintain persistent access.
Given the absence of a formal patch for ZDI-CAN-25373, organizations are advised to disable automatic LNK file resolution, block known C2 domains, and scrutinize the deployment of Canon printer utilities in unusual locations. The alignment of lure documents with actual events, such as EU-Western Balkans border meetings and NATO defense workshops, demonstrates an advanced understanding of diplomatic schedules, thereby increasing the likelihood of successful compromise.
Persistent PlugX infections enable adversaries to exfiltrate confidential documents, surveil policy discussions, and potentially manipulate or monitor diplomatic processes in real time. This poses risks not only of immediate data loss but also of long-term strategic disadvantages for targeted governments and organizations. Enhanced user training and continuous monitoring for DLL side-loading attacks are recommended, alongside proactive threat hunting for stealthy, memory-resident malware. This campaign signifies a paradigm shift in espionage targeting, merging advanced vulnerability exploitation with contextualized phishing to infiltrate high-value diplomatic networks. Organizations must prioritize robust defenses against rapidly evolving threat actors like UNC6384 to protect critical diplomatic and policy-making processes.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
