Cyber spies allegedly connected to the Chinese government have exploited an unpatched vulnerability in Windows to target European diplomats, aiming to steal sensitive defense and national security information. This flaw, identified in March but not yet addressed by Microsoft, was detailed in research released by security firm Arctic Wolf.
The espionage campaign has been attributed to group UNC6384, also known as Mustang Panda or Twill Typhoon. According to Arctic Wolf”s research published on a recent Thursday, these suspected hackers employed social engineering tactics in conjunction with the Windows vulnerability to deploy PlugX malware against diplomats during diplomatic conferences held in September and October.
“This campaign showcases UNC6384″s ability to swiftly adopt newly disclosed vulnerabilities, utilize advanced social engineering techniques, and expand operations from targeting Southeast Asia to European diplomatic entities,” noted Arctic Wolf Labs” threat research team.
Previously, UNC6384 was reported to have attacked diplomats in Southeast Asia before shifting focus to Europe. This group has a history of using the PlugX backdoor, a tool that enables remote access, file theft, and additional malware deployment. Recent targets included diplomats in Belgium, Hungary, Italy, and the Netherlands, as well as Serbian aviation departments.
The vulnerability, known as ZDI-CAN-25373 (CVE-2025-9491), was discovered by Zero Day Initiative threat hunter Peter Girnus, who reported it to Microsoft in March. Girnus indicated that the weakness had been exploited as a zero-day since as far back as 2017, with numerous state-sponsored groups from North Korea, Iran, Russia, and China utilizing the same exploit for cyber espionage.
The attacks typically began with phishing emails that employed specific themes related to European defense and security initiatives. These emails contained a weaponized LNK file designed to exploit the Windows shortcut vulnerability, allowing attackers to execute commands secretly.
One of the malicious files, named “Agenda_Meeting 26 Sep Brussels.lnk,” featured themes relevant to diplomatic conferences and included a decoy PDF displaying a genuine meeting agenda from the European Commission regarding border crossing facilitation between the EU and Western Balkan nations.
When executed, the LNK file triggered PowerShell to decode and extract a tar archive containing three files, facilitating the attack via a technique called DLL sideloading. This method deceives an application into loading a malicious DLL instead of the legitimate one, leveraging the Windows DLL search order.
Among the files was a legitimate Canon printer assistant utility, which, despite having an expired digital signature, was still trusted by Windows due to a valid timestamp. This allowed the attackers to bypass security measures and deliver their malware effectively.
The malicious DLL acted as a loader, decrypting and running the third file in the archive, cnmplog.dat, which held the encrypted PlugX payload. PlugX, a Remote Access Trojan that has existed since at least 2008, grants attackers comprehensive control over infected machines, including capabilities for command execution, keylogging, file transfers, and persistent access.
“This three-stage execution process ensures that the PlugX malware operates stealthily within a legitimate signed process, significantly reducing the chances of detection by endpoint security systems,” the researchers explained.
As of now, Microsoft has not responded to inquiries regarding the exploitation of ZDI-CAN-25373 by state-sponsored actors, nor has it provided a timeline for addressing the security flaw.
