China-linked hackers target European diplomatic missions using new Windows flaw

New Delhi: A China-linked hacking group named UNC6384 has been blamed for a new cyberattack campaign targeting European diplomatic and government organisations, according to a report by cybersecurity firm Arctic Wolf.

The attacks took place between September and October 2025, exploiting an unpatched Windows shortcut (LNK) vulnerability, reported by The Hacker News.

The victims of the attack include diplomatic organizations in Hungary, Belgium, Italy, and the Netherlands, as well as government agencies in Serbia.

Arctic Wolf said the hackers used spear-phishing emails containing links that appeared related to European Commission meetings, NATO workshops, and diplomatic coordination events.

When victims clicked the links, they were led to malicious LNK files designed to exploit the Windows flaw, tracked as CVE-2025-9491 with a CVSS score of 7.0.

Once opened, these files launched a complex attack chain that ended with the deployment of PlugX malware, a dangerous remote access trojan also known by names like Destroy RAT, Korplug, and SOGU.

The malware allows hackers to control infected systems, record keystrokes, upload or download files, and gather detailed information from the compromised computers.

Researchers explained that the LNK files trigger a PowerShell command that extracts a hidden archive containing three files — a legitimate Canon printer utility, a malicious DLL file called CanonStager, and an encrypted PlugX payload.

The hackers use a technique called DLL side-loading to make the malware look like a harmless programme.

The CanonStager malware has been evolving rapidly. Arctic Wolf found that its file size had dropped from 700 KB in early September to just 4 KB by October 2025, showing that the hackers are working to make it smaller, stealthier, and harder to detect.

In some cases, the attackers also used HTML Application (HTA) files that loaded external JavaScript from cloudfront[.]net domains to deliver the malware.

This shows that UNC6384 continues to refine its methods to stay ahead of security defences.

Cybersecurity researchers have also linked UNC6384 to another China-based hacking group known as Mustang Panda, known for targeting government and diplomatic entities across Europe and Asia.

The group has been seen deploying memory-resident versions of PlugX, referred to as SOGU.SEC.

Experts say the campaign aligns with China’s intelligence-gathering goals, particularly to monitor European defense cooperation, policy coordination, and alliance strength.

Microsoft has confirmed that its Defender antivirus can detect and block this type of attack, while Smart App Control adds another protection layer by blocking malicious files downloaded from the internet.

According to Arctic Wolf, the continued targeting of European diplomatic entities highlights China’s growing cyber espionage focus on understanding the inner workings of European alliances and defence strategies.

IANS