A China-linked hacking group known as UNC6384 has been accused of carrying out new cyberattacks against several European diplomatic and government organizations, according to cybersecurity firm Arctic Wolf.
The attacks happened between September and October 2025 and took advantage of an unpatched Windows shortcut (LNK) vulnerability, as first reported by The Hacker News.
The victims include diplomatic offices in Hungary, Belgium, Italy, and the Netherlands, along with government agencies in Serbia.
Researchers said the hackers used spear-phishing emails that looked like official invitations to European Commission meetings, NATO workshops, and other diplomatic events. When the targets clicked the links, they were directed to malicious LNK files that exploited a Windows flaw known as CVE-2025-9491, which has a severity score of 7.0.
Once opened, these files triggered a series of steps that ended with the installation of PlugX malware—a dangerous remote access tool also called Destroy RAT, Korplug, or SOGU. This malware lets attackers take full control of infected computers, record keystrokes, transfer files, and collect system information.
The attack began when the LNK files ran a PowerShell command that extracted a hidden archive. This archive contained three files: a legitimate Canon printer utility, a malicious DLL file named CanonStager, and an encrypted PlugX payload. By using a method called DLL side-loading, the hackers made the malware appear as a harmless Canon program.
Arctic Wolf noted that the CanonStager malware has evolved quickly. Its file size dropped from 700 KB in early September to just 4 KB by October 2025, suggesting that the hackers are refining it to be smaller and harder to detect.
In some cases, the attackers also used HTML Application (HTA) files that loaded malicious JavaScript from cloudfront[.]net domains to deliver the malware.
This shows that UNC6384 is actively improving its attack techniques to bypass modern security tools.
Cybersecurity experts have also linked UNC6384 to another China-based group called Mustang Panda, which is known for targeting government and diplomatic networks in both Europe and Asia. The group has been observed using memory-resident versions of PlugX, known as SOGU.SEC.
Experts believe the campaign is part of China’s broader effort to gather intelligence on European defense cooperation and policy coordination.
Microsoft confirmed that its Defender antivirus can detect and block these attacks, while Smart App Control provides extra protection by preventing malicious downloads.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
According to Arctic Wolf, the continued targeting of European diplomats highlights China’s increasing cyber espionage focus on understanding the inner workings of Europe’s defense and alliance strategies.
