UNC6384 Espionage Campaign Exploits Windows Shortcut Vulnerability Against European Diplomats
Chinese state-sponsored threat actor UNC6384 conducted a targeted cyber-espionage campaign against European diplomatic entities in Hungary, Belgium, Italy, the Netherlands, and Serbia during September and October 2025. The attackers exploited an unpatched Windows shortcut vulnerability (ZDI-CAN-25373), first disclosed in March 2025, to deliver the PlugX remote access trojan via spearphishing emails themed around European Commission meetings, NATO workshops, and multilateral diplomatic events. The campaign leveraged advanced social engineering, detailed knowledge of diplomatic calendars, and multi-stage malware delivery chains, including DLL side-loading through legitimate Canon printer utilities. Arctic Wolf Labs and other researchers attributed the activity to UNC6384, noting the group’s rapid adoption of public vulnerabilities and operational expansion from Southeast Asia to Europe.
The campaign’s objectives included stealing sensitive defense and national security information, monitoring NATO and EU policy development, and assessing European military readiness and supply chain resilience. The attacks began with highly targeted phishing lures, leading to the exploitation of ZDI-CAN-25373 and subsequent deployment of PlugX, which enabled remote access, data theft, and further malware installation. The campaign highlights the ongoing risk posed by unpatched vulnerabilities and the increasing sophistication of Chinese cyber-espionage operations targeting Western diplomatic and governmental organizations.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
Reports highlight continued exploitation of unpatched CVE-2025-9491
By October 31, 2025, multiple outlets emphasized that the Windows shortcut flaw remained unpatched and was being actively exploited by UNC6384 and other state-sponsored actors. Coverage noted Microsoft's decision not to issue a fix and the need for mitigations such as blocking untrusted .LNK files and monitoring for related indicators.
Follow-on reporting expands known victim scope across Europe
From October 30 to October 31, 2025, follow-on coverage highlighted additional affected organizations and countries, including diplomatic targets in Italy and the Netherlands and government agencies in Serbia. The reporting reinforced that the campaign likely extended beyond the initially disclosed Hungarian and Belgian entities.
Arctic Wolf attributes the campaign to UNC6384 and publishes findings
On October 30, 2025, Arctic Wolf Labs published research attributing the active espionage campaign with high confidence to the Chinese-affiliated threat actor UNC6384. The report detailed targeting of diplomatic entities in Hungary and Belgium and assessed the activity as aligned with PRC intelligence interests in Europe.
Attackers refine delivery tradecraft and shrink CanonStager artifacts
By October 2025, Arctic Wolf observed rapid evolution in the campaign's tooling, including CanonStager shrinking to roughly 4 KB. Researchers also noted alternative delivery paths, including HTA/JavaScript payload retrieval via a CloudFront-based infrastructure.
UNC6384 exploits the LNK flaw to deploy PlugX on victim systems
In the September–October 2025 campaign, malicious Windows shortcut files exploited ZDI-CAN-25373/CVE-2025-9491 to trigger obfuscated PowerShell and deliver PlugX. The infection chain used a legitimate Canon utility, a malicious sideloaded DLL dubbed CanonStager, and an encrypted payload executed in memory.
UNC6384 launches spearphishing campaign against European diplomatic targets
During September 2025, UNC6384 began targeting European diplomatic and government entities with spearphishing lures themed around real diplomatic events. Initial victimology included organizations in Hungary and Belgium, with broader targeting later linked to Serbia, Italy, and the Netherlands.
ZDI publicly discloses Windows shortcut flaw ZDI-CAN-25373
In March 2025, the Windows shortcut vulnerability tracked as ZDI-CAN-25373 was publicly disclosed. Later reporting tied the issue to CVE-2025-9491 and noted it could enable hidden command execution via manipulated .LNK files.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
15 references tracked. Mallory keeps watching after this page renders.
UNC6384’s 2025 PlugX Campaign Explained
picussecurity.com
Open sourceSignals Weekly: The Shortcut That Opened Doors in Europe
blog.alphahunt.io
Open sourceUnpatched Windows Flaw a Boon for Nation-State Hackers
bankinfosecurity.com
Open sourceUnpatched Windows Flaw a Boon for Nation-State Hackers
govinfosecurity.com
Open sourceUNC6384 Targets European Diplomatic Entities With Windows Exploit
darkreading.com
Open sourceSuspected Chinese snoops weaponize unpatched Windows flaw to spy on European diplomats
go.theregister.com
Open sourceUNC6384 Weaponizes ZDI-CAN-25373 Vulnerability to Deploy PlugX Against Hungarian and Belgian Diplomatic Entities - Arctic Wolf
arcticwolf.com
Open sourceDiplomatic entities in Belgium and Hungary hacked in China-linked spy campaign
therecord.media
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Chinese APT Spearphishing Campaign Using Fake Cloudflare Lures to Deploy PlugX Malware
Chinese state-sponsored threat actors have launched a sophisticated spearphishing campaign targeting government and aviation agencies across Europe, including a Serbian aviation agency. The attackers crafted malicious emails that appeared to be related to European government business, enticing recipients to click on links that redirected them to fraudulent Cloudflare verification pages. These fake pages were designed to deliver malware payloads, specifically PlugX, Sogu, and Korplug, which are commonly associated with Chinese cyberespionage groups. The campaign began in late September and has affected organizations in Serbia, Italy, Belgium, Hungary, and the Netherlands. Security researchers have attributed the activity to Chinese APTs, with some overlap in tactics and malware families used by groups such as Mustang Panda and UNC6384. The PlugX malware, a remote access trojan, enables attackers to exfiltrate sensitive data and maintain persistent access within compromised networks. The campaign's use of legitimate-looking Cloudflare lures increases the likelihood of successful credential harvesting and malware deployment. In response to the widespread use of PlugX, U.S. law enforcement, including the Justice Department and FBI, conducted operations to remove the malware from thousands of infected computers in the United States. The campaign demonstrates a high level of operational security, leveraging tailored phishing lures and multi-stage infection chains to evade detection. Security researchers have noted that the attackers continuously adapt their techniques, making use of current events and trusted brands to increase the credibility of their phishing emails. The deployment of multiple malware families in a single campaign suggests a broad espionage objective, targeting both information theft and long-term access. The campaign's cross-border nature highlights the global reach of Chinese cyberespionage operations. Organizations are advised to implement robust email filtering, user awareness training, and endpoint detection to mitigate the risk of similar attacks. The incident underscores the persistent threat posed by Chinese APTs to critical infrastructure and government entities worldwide. Ongoing analysis by cybersecurity firms continues to reveal new indicators of compromise and evolving tactics associated with this campaign. The use of PlugX and related malware remains a hallmark of Chinese cyberespionage, with attackers refining their delivery methods to bypass traditional security controls. The campaign's discovery has prompted increased collaboration between international law enforcement and private sector security teams to disrupt the threat and protect targeted organizations.
Mar 21, 2026
TA416 Revives Espionage Against European Governments and NATO Missions
Proofpoint reported that China-aligned threat actor **TA416** resumed sustained cyberespionage against European government, diplomatic, and NATO-linked targets from mid-2025, ending a lull in its EU-focused activity. The campaign heavily targeted diplomatic missions to the **EU** and **NATO**, with lures tied to geopolitical issues including EU-China trade tensions, the Russia-Ukraine war, rare earth exports, humanitarian concerns, interview requests, collaboration proposals, and claims about Europe sending troops to Greenland. Researchers said the actor used reconnaissance-focused web bugs and phishing emails to profile victims before attempting malware delivery. The intrusion chains evolved repeatedly but consistently aimed to install a customized **PlugX** backdoor via **DLL sideloading**. Proofpoint observed fake Cloudflare Turnstile pages, abuse of Microsoft Entra ID OAuth redirects, and renamed MSBuild binaries paired with malicious C# project files, alongside updates to TA416's PlugX loader, persistence mechanisms, command-and-control protocol, and configuration encryption. The group also relied on re-registered domains, Cloudflare CDN masking, and VPS infrastructure, and in March 2026 expanded targeting to Middle Eastern diplomatic and government entities after conflict erupted in Iran, indicating intelligence collection driven by fast-moving geopolitical developments.
Apr 21, 2026
China-Linked Espionage Campaigns Target Regional Government and Military Interests
Security researchers reported multiple **China-linked espionage operations**, but they are not the same incident. One campaign tracked by Palo Alto Networks as **CL-STA-1087** targeted military organizations in Southeast Asia over several years, focusing on intelligence collection related to military capabilities, organizational structures, and cooperation with Western armed forces. The activity used custom malware including the **AppleChris** and **MemFun** backdoors and a **Getpass** credential harvester, alongside stable infrastructure and selective file collection consistent with long-term state-sponsored espionage. A separate report from Zscaler described a **China-nexus** intrusion set targeting entities in the Persian Gulf using conflict-themed lures to deliver **PlugX**. That attack chain relied on a ZIP archive containing a deceptive `.lnk` file, which downloaded a malicious CHM file, used `hh.exe` for extraction, displayed a decoy PDF about Iranian missile strikes, and ultimately installed a multi-stage PlugX payload. The other references are unrelated: one is a technical review of **CVE-2026-25185** in Windows shortcut handling, and another covers malicious Packagist themes shipping trojanized jQuery tied to **FUNNULL** infrastructure rather than the China-linked espionage activity described in the relevant reports.
Mar 21, 2026