A sophisticated cyber espionage campaign targeting European diplomatic institutions has been uncovered, signaling a strategic escalation by Chinese-affiliated threat actor UNC6384.
Central to this campaign is the exploitation of the Windows shortcut (LNK) UI misrepresentation vulnerability—ZDI-CAN-25373, first disclosed in March 2025—paired with tailored social engineering schemes mimicking authentic diplomatic conferences.
UNC6384, previously documented by Google’s Threat Intelligence Group, is known for its sustained targeting of diplomatic sectors, particularly across Southeast Asia.
Researchers at Arctic Wolf Labs have identified that, between September and October 2025, entities in Hungary, Belgium, and neighboring European countries have been specifically targeted through a newly evolved attack chain.
However, recent operations show an expanded focus spanning into core European diplomatic spheres. The group’s tactical agility is evident in its quick adoption of exploits: within six months of ZDI-CAN-25373’s public disclosure, UNC6384 operationalized the flaw, leveraging spearphishing emails embedded with URLs that initiate a multi-stage compromise.
The attack commences when victims interact with seemingly legitimate conference-themed LNK files related to European Commission and NATO meetings.
These files exploit the Windows vulnerability to covertly execute obfuscated PowerShell commands, which extract and activate a malware-laced archive. The ultimate payload is PlugX, a remote access trojan (RAT) recognized for its modularity and favored by numerous Chinese nexus APT groups.
Multi-Stage Attack Chain
The attack sequence pivots on the weaponized LNK file, which employs whitespace padding in its COMMAND_LINE_ARGUMENTS to trigger the exploit.
Once activated, the LNK runs PowerShell to unpack a tar archive, yielding three core files: a legitimate Canon printer assistant executable, a malicious DLL, and an encrypted payload.
Using the recognized Windows DLL search order for side-loading, the Canon binary (digitally signed, but with an expired certificate) loads the malicious DLL, which in turn decrypts and injects the PlugX payload into memory for stealth execution.
PlugX enables broad espionage actions—including command execution, file transfer, keylogging, and persistence establishment—while disguising its presence within trusted processes.
Notably, the malware dynamically loads and resolves Windows API functions using obfuscated, runtime-resolved strings, deploying anti-analysis measures such as control-flow flattening and encryption to impede detection.
Beyond spearphishing-derived delivery, Arctic Wolf Labs notes UNC6384’s use of alternative vectors, including captive portal hijacking and background-HTA file execution, further highlighting the threat actor’s technical versatility.
Their C2 (command and control) infrastructure spans numerous domains resembling legitimate services and is distributed across different regions, complicating takedown efforts.
Strategic Impact and Recommendations
The European focus of this campaign pinpoints entities engaged in cross-border policy, defense procurement, and multilateral coordination—areas of strategic interest to China.
The malware creates a hidden directory in one of several possible locations within the user profile and copies all extracted files to maintain persistent access.
Given the lack of a formal patch for ZDI-CAN-25373, organizations should disable automatic LNK file resolution, block known C2 domains, and scrutinize the deployment of Canon printer utilities in unusual locations.
The alignment of lure documents to actual events, such as EU-Western Balkans border meetings and NATO defense workshops, displays an advanced understanding of diplomatic schedules, increasing the likelihood of successful compromise.
Persistent PlugX infections enable adversaries to exfiltrate confidential documents, surveil policy discussions, and potentially manipulate or monitor diplomatic processes in real time. This risks not only immediate data loss but also long-term strategic disadvantages for targeted governments and organizations.
Given the lack of a formal patch for ZDI-CAN-25373, organizations should disable automatic LNK file resolution, block known C2 domains, and scrutinize the deployment of Canon printer utilities in unusual locations.
Enhanced user training and continuous monitoring for DLL side-loading attacks are recommended, alongside proactive threat hunting for stealthy, memory-resident malware.
This campaign underscores a paradigm shift in espionage targeting, blending advanced vulnerability exploitation with contextualized phishing to infiltrate high-value diplomatic networks. Organizations must prioritize robust defense against rapidly evolving threat actors such as UNC6384 to safeguard critical diplomatic and policy-making processes.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
