Chinese-affiliated threat actor UNC6384 has been actively leveraging a critical Windows shortcut vulnerability to target European diplomatic entities across Hungary, Belgium, Serbia, Italy, and the Netherlands.
Arctic Wolf researchers identified this sophisticated cyber espionage campaign operating throughout September and October 2025, representing a significant evolution in the group’s operational capabilities and geographic reach.
The attack begins with carefully crafted spearphishing emails containing URLs that deliver malicious LNK files disguised as legitimate diplomatic conference agendas.
These files reference authentic European Commission meetings, NATO defense procurement workshops, and multilateral coordination events.
When users click these seemingly innocent shortcuts, a critical flaw in Windows shortcut handling enables silent command execution that most detection systems fail to catch.
UNC6384 rapidly adopted the ZDI-CAN-25373 vulnerability within just six months of its March 2025 public disclosure, demonstrating exceptional operational agility and vulnerability tracking capabilities.
.webp "Hackers Weaponizing Windows LNK File UI Misrepresentation Remote Code Execution Vulnerability 3")
Arctic Wolf analysts detected the malware after the second paragraph of research, noting the sophisticated infection mechanism that builds a complex multi-stage attack chain designed to evade traditional security defenses.
Technical Infection Mechanism and Payload Delivery
The exploitation mechanism cleverly abuses whitespace padding within the LNK file’s COMMAND_LINE_ARGUMENTS structure to hide malicious commands from user visibility.
Upon execution, the compromised shortcut silently invokes PowerShell to extract and decompress a tar archive containing three critical components: a legitimate, digitally signed Canon printer utility, a malicious DLL loader, and an encrypted PlugX remote access trojan payload.
The attack chain employs DLL side-loading, exploiting standard Windows library search order processes. When the Canon executable launches, it instinctively searches for supporting libraries in its local directory before checking system folders.
The malicious DLL positioned there transparently loads, then decrypts the PlugX payload using a hardcoded RC4 key and injects it directly into the legitimate process’s memory space, creating a nearly undetectable persistent backdoor.
The PlugX malware establishes encrypted HTTPS command and control connections using randomized parameters across multiple redundant domains including racineupci[.]org and dorareco[.]net.
The malware creates hidden persistence directories with spoofed names like “SamsungDriver” and modifies Windows registry Run keys, ensuring continued access across system restarts.
This campaign demonstrates nation-state level sophistication, combining zero-day exploitation knowledge with meticulous social engineering targeting specific diplomatic personnel and events, representing a substantial intelligence collection threat to European government operations.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
