New Delhi, November 2 (IANS). A China-linked hacking group named UNC6384 has been accused of a new cyberattack targeting European diplomats and government organizations, according to a report from cybersecurity firm Arctic Wolf.
Chinese hackers are taking advantage of the shortcomings of the new Windows, targeting European diplomatic missions
The attacks took place between September and October 2025, exploiting an unpatched Windows Shortcut (LNK) weakness, The Hacker News reports.
Victims of the attack included diplomatic organizations in Hungary, Belgium, Italy and the Netherlands, as well as government agencies in Serbia.
Arctic Wolf reported that the hackers used spear-phishing emails that contained links that appeared to be related to a European Commission meeting, NATO workshop and diplomatic coordination event.
When victims clicked on the link, they were taken to malicious LNK files designed to exploit the Windows flaw, which is tracked as CVE-2025-9491 and has a CVSS score of 7.0.
Once opened, these files initiated a complex attack chain that culminated with the deployment of the PlugX malware. It is a dangerous remote access trojan which is also known by names like Destroy RAT, CorePlug and SOGU.
This malware allows hackers to take control of the system, record keystrokes, upload or download files, and collect detailed information from the compromised computer.
Researchers reported that LNK files trigger a PowerShell command that extracts a hidden archive containing three files – a genuine Canon printer utility, a malicious DLL file named CanonStager, and an encrypted PlugX payload.
Hackers use a technique called DLL side-loading to make malware appear as a harmless program.
CanonStager malware is changing rapidly. Arctic Wolf found that its file size was 700 KB in the beginning of September, which reduced to just 4 KB by October 2025, which shows that hackers are considering it to work small, stealthily.
In some cases, attackers also used HTML application (HTA) files that CloudFront uses to deliver malware.[डॉट]Used to load external JavaScript from .NET domain.
This shows that UNC6384 is constantly improving its methods to stay ahead of security defenses.
Cybersecurity researchers have also linked UNC6384 to another China-based hacking group, Mustang Panda, which is known for targeting government and diplomatic entities across Europe and Asia.
The group has been observed deploying a memory-resident version of PlugX, called SOUG.SEC.
Experts say the campaign aligns with China’s intelligence-gathering goals, particularly to monitor European defense cooperation, policy coordination and alliance strength. Microsoft claims that its Defender Antivirus can detect and block such attacks, while Smart App Control adds another layer of protection by blocking malicious files downloaded from the Internet.
According to Arctic Wolf, the continued targeting of European diplomatic missions shows that China is increasing its cyber espionage focus to understand information related to European alliances and defense strategies.
–IANS
kr/