A Windows vulnerability (CVE-2025-9491, aka ZDI-CAN-25373) that state-sponsored threat actors and cybercrime groups have been quietly leveraging since at least 2017 continues to be exploited for attacks.
“Arctic Wolf Labs assesses with high confidence that [the campaign they detected] is attributable to UNC6384. This attribution is based on multiple converging lines of evidence including malware tooling, tactical procedures, targeting alignment, and infrastructure overlaps with previously documented UNC6384 operations,” the company’s threat researchers noted.
The attack campaign
The targets in this latest cyber espionage campaign were European diplomatic entities in Hungary, Belgium, Italy and the Netherlands, as well as Serbian government’s aviation departments.
During September and October 2025, UNC6384 sent out spearphishing emails with an embedded URL, which ultimately lead to the delivery of malicious LNK files with themes related to European Commission meetings and NATO workshops.
“These files exploit [CVE-2025-9491, aka ZDI-CAN-25373] to execute obfuscated PowerShell commands that extract and deploy a multi-stage malware chain, culminating in PlugX remote access trojan (RAT) deployment through DLL side-loading of legitimate signed Canon printer assistant utilities,” the researchers explained.
CVE-2025-9491 exploited
ZDI-CAN-25373 was publicly disclosed in March 2025 by Peter Girnus, a threat hunter with Trend Micro’s Zero Day Initiative, and it’s an example of User Interface Misrepresentation of Critical Information (CWE-451).
The vulnerability allows attackers to create malicious LNK (Windows shortcut) files with command line arguments embedded in their Target field, but padded with whitespace (or other characters), thus making them unlikely to be seen by users who inspect the file via the Windows-provided user interface.
If the shortcut file is run by a user, these arguments are passed to target machines and result in code execution.
In conjunction with this trick, UNC6384 leveraged decoy PDF documents to hide the malicious payload being decrypted and executed in-memory via DLL side-loading.
The attackers’ execution chain (Source: Arctic Wolf)
“This three-stage execution flow completes the deployment of PlugX malware running stealthily within a legitimate signed process, significantly reducing the likelihood of detection by endpoint security solutions,” Arctic Wolf explained.
“Also observed in early September, Arctic Wolf identified UNC6384’s use of an HTA file configured to run invisibly in the background, which loads external JavaScript from a CloudFront URL. The JavaScript facilitated payload retrieval from the same CloudFront-based C2 and served as a delivery mechanism for three critical files: cnmpaui.exe, cnmpauix.exe, and cnmplog.dat.”
A fix may or may not be in the works
ZDI reported ZDI-CAN-25373 to Microsoft in September 2024 and shared their knowledge of it having been exploited many times in the past by various state-sponsored and cybercrime groups from North Korea, Iran, Russia, and China.
Microsoft acknowledged the report and the additional information provided, but ultimately decided that the vulnerability did not meet the bar for servicing.
At the time, Microsoft told Help Net Security that Microsoft Defender has detections in place to detect and block this threat activity, and the Smart App Control provides an extra layer of protection by blocking malicious files from the Internet. But, they added, they would consider addressing it in a future feature release.
We’ve reached out to Microsoft to ask whether they plan to fix the vulnerability soon (or at all), and we’ll update this article when we hear back from them.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
