A China-affiliated threat actor, identified as UNC6384, has been linked to a sophisticated cyber campaign targeting European diplomatic and government entities. According to a technical report from cybersecurity firm Arctic Wolf, the attacks took place between September and October 2025, leveraging an unpatched Windows shortcut vulnerability to gain access and deploy malware.

The targets of this campaign included diplomatic organizations in several European nations, specifically Hungary, Belgium, Italy, and the Netherlands. Additionally, government agencies in Serbia were also compromised. The attacks demonstrate a clear focus on entities involved in European political and diplomatic affairs.

Attack Chain Exploits Spear-Phishing

The operation commenced with highly targeted spear-phishing emails sent to individuals within the targeted organizations. These emails contained an embedded URL, which initiated a multi-stage attack chain upon being clicked. The primary goal of this chain was the delivery of malicious LNK files, which are shortcuts in the Windows operating system. To entice the victims, the attackers themed these LNK files around legitimate-sounding events, such as European Commission meetings, NATO-related workshops, and other multilateral diplomatic coordination efforts.

PlugX Malware Deployed via Windows Flaw

The malicious LNK files were specifically crafted to exploit a known but unpatched Windows vulnerability tracked as ZDI-CAN-25373. Triggering this flaw allows the attackers to execute code and continue their multi-stage intrusion. The ultimate objective of the attack chain is the deployment of the PlugX malware, a well-known remote access trojan (RAT) also referred to as Destroy. The report confirms that UNC6384 used a technique known as DLL side-loading to install and run the PlugX payload, giving them remote control over the compromised systems.

Source: https://thehackernews.com/2025/10/china-linked-hackers-exploit-windows.html