A China-linked hacking group is currently leveraging a Windows zero-day vulnerability to launch sophisticated attacks aimed at European diplomats, particularly in Hungary, Belgium, and other nations across the continent. This alarming trend has been detailed by Arctic Wolf Labs, which outlines a methodical attack chain initiated through spearphishing emails. These emails cleverly disguise malicious LNK files under the guise of NATO defense procurement workshops, European Commission border facilitation meetings, and various diplomatic events.
Once activated, these malicious files exploit a critical Windows LNK vulnerability, identified as CVE-2025-9491. This exploitation enables the deployment of the PlugX remote access trojan (RAT) malware, granting attackers persistent access to compromised systems. Such access allows them to surveil diplomatic communications and extract sensitive information.
Attribution and Broadened Targeting
The cyber-espionage campaign has been linked to a Chinese state-sponsored threat group known as UNC6384, or Mustang Panda. This group has a history of conducting espionage operations that align with Chinese strategic interests, particularly targeting diplomatic entities throughout Southeast Asia. Recent analyses by Arctic Wolf Labs and StrikeReady indicate that the scope of these attacks has expanded in recent weeks. Initially focused on Hungarian and Belgian diplomatic targets, the campaign now also encompasses Serbian government agencies and diplomatic entities from Italy and the Netherlands.
Researchers from Arctic Wolf Labs have expressed high confidence in attributing this campaign to UNC6384, citing multiple converging lines of evidence. These include similarities in malware tooling, tactical procedures, alignment of targets, and overlaps in infrastructure with previously documented operations by the group.
The vulnerability at the heart of this campaign, CVE-2025-9491, allows attackers to execute arbitrary code remotely on targeted Windows systems. However, successful exploitation necessitates user interaction, as it requires potential victims to either visit a malicious webpage or open a harmful file. This specific vulnerability resides in the handling of .LNK files, enabling attackers to manipulate how Windows displays these shortcut files. By doing so, they can evade detection and execute code on vulnerable devices without the user’s awareness. Attackers cleverly hide malicious command-line arguments within .LNK shortcut files, utilizing padded whitespaces to obscure their intentions.
In March 2025, Trend Micro threat analysts reported that CVE-2025-9491 was already being exploited by 11 different state-sponsored groups and cybercrime organizations, including notable names such as Evil Corp, APT43 (Kimsuky), and Mustang Panda. The diversity of malware payloads and loaders, such as Ursnif, Gh0st RAT, and Trickbot, complicates the threat landscape further, especially with the rise of malware-as-a-service (MaaS) platforms.
Despite the urgency of the situation, Microsoft indicated in March that it would “consider addressing” this zero-day flaw, although it did not meet the criteria for immediate servicing. As of now, no official patch for CVE-2025-9491 has been released, leaving network defenders with the recommendation to restrict or block the use of Windows .LNK files and to block connections from identified command-and-control infrastructure highlighted by Arctic Wolf Labs.
