A sophisticated, China-affiliated hacking group tracked as UNC6384 has been observed conducting a fresh series of attacks against European diplomatic and government entities. These attacks, which took place between September and October 2025, leveraged a critical, unpatched vulnerability in Windows shortcut files (LNK) to deliver the powerful PlugX Remote Access Trojan (RAT). The targets included diplomatic organizations in Hungary, Belgium, Italy, and the Netherlands, alongside government agencies in Serbia, highlighting a strategic focus on Europe.
The attack initiates with highly targeted spear-phishing emails that contain an embedded URL. This URL is the first step in a multi-stage process designed to lead recipients to a malicious LNK file. The lures used in these phishing attempts are carefully crafted around highly relevant topics, such as European Commission meetings, NATO-related workshops, and various multilateral diplomatic coordination events, making them highly effective at tricking victims. The LNK file is engineered to exploit the known vulnerability, designated ZDI-CAN-25373 and officially tracked as CVE-2025-9491, which then triggers the subsequent stages of the malware deployment.
Once activated, the attack chain uses the shortcut vulnerability to launch a hidden PowerShell command. This command is responsible for decoding and extracting the contents of a TAR archive, while simultaneously displaying a seemingly benign decoy PDF document to the user to maintain the illusion of legitimacy. Inside the archive are three key components: a legitimate Canon printer assistant utility, a malicious DLL file dubbed CanonStager that is then side-loaded by the genuine Canon binary, and an encrypted PlugX payload. This modular process is a hallmark of advanced persistent threat (APT) groups.
PlugX, known by several names including Destroy RAT and SOGU, is a potent remote access tool that provides the attackers with extensive capabilities. These include command execution, keylogging, file transfer operations, and comprehensive system reconnaissance. The malware is also designed with various anti-analysis and anti-debugging techniques to complicate forensic investigation and successfully evade detection. Notably, UNC6384 has shown signs of active development, with its deployment artifacts, like the CanonStager, witnessing a sharp decline in size, suggesting an evolution toward a stealthier, more minimal footprint. The group has also been observed refining its delivery, in some cases using an HTML Application (HTA) file to load external JavaScript that fetches the final payload from cloud infrastructure.
The observed tactical and tooling overlap suggests connections between UNC6384 and other established hacking groups, specifically Mustang Panda. Ultimately, the selection of targets—diplomatic entities involved in defense cooperation and cross-border policy coordination—strongly aligns with the strategic intelligence requirements of the People’s Republic of China (PRC) concerning European alliance cohesion and defense initiatives. The continued exploitation of the unpatched ZDI-CAN-25373 vulnerability, which has been abused by multiple actors since at least 2017, underscores the urgency for robust patch management and layered security measures like those provided by Microsoft Defender and Smart App Control.
Reference:
