The threat actor UNC6384, affiliated with China, has conducted targeted cyber espionage campaigns against European diplomatic and government entities by exploiting a recently disclosed Windows shortcut vulnerability, CVE-2025-9491 (CVSS 7.0). This vulnerability allows execution of hidden malicious commands via specially crafted LNK files. The attack begins with spear-phishing emails containing URLs that lead to malicious LNK files themed around European Commission meetings and NATO workshops to entice targets. Upon opening the LNK file, a PowerShell command is executed that extracts a TAR archive containing three components: a legitimate Canon printer utility, a malicious DLL (CanonStager) loaded via DLL side-loading, and an encrypted PlugX payload. PlugX is a sophisticated remote access trojan capable of command execution, keylogging, file operations, persistence, and system reconnaissance. It employs anti-debugging and anti-analysis techniques to evade detection. The malware achieves persistence through Windows Registry modifications. The campaign has evolved, with the CanonStager DLL shrinking in size, indicating active development to reduce forensic footprints. Additionally, UNC6384 has used HTML Application (HTA) files to load external JavaScript from cloudfront.net to retrieve payloads, refining delivery methods. The campaign specifically targets European diplomatic entities involved in defense and policy coordination, reflecting strategic intelligence priorities of the Chinese government. Although Microsoft Defender and Smart App Control provide some detection and blocking capabilities, the vulnerability remains unpatched, leaving systems exposed. This campaign follows earlier exploitation of the same vulnerability by other threat groups such as XDSpy, indicating widespread interest in this flaw.

European organizations, particularly diplomatic and government entities involved in defense cooperation and multilateral policy coordination, face significant espionage risks from this campaign. Successful exploitation enables attackers to gain persistent remote access, exfiltrate sensitive information, perform keylogging, and conduct extensive system reconnaissance. This compromises confidentiality and integrity of highly sensitive diplomatic communications and strategic policy data. The use of advanced evasion techniques and modular malware architecture complicates detection and response efforts. The targeting of multiple European countries indicates a coordinated intelligence-gathering effort that could undermine national security and diplomatic relations. The campaign's focus on entities critical to European alliance cohesion and defense initiatives elevates the potential geopolitical impact. Additionally, the evolving malware reduces forensic evidence, hindering incident investigations and attribution. The medium severity rating underestimates the strategic impact on European governmental operations and intelligence security.

European organizations should prioritize immediate mitigation steps beyond generic patching advice. First, implement strict email filtering and advanced threat protection to detect and block spear-phishing attempts with embedded URLs and malicious LNK files. Deploy endpoint detection and response (EDR) solutions capable of identifying DLL side-loading and anomalous PowerShell activity. Enable Microsoft Defender and Smart App Control features to leverage existing detection capabilities against this threat. Conduct targeted user awareness training focused on recognizing diplomatic-themed phishing lures and suspicious attachments. Employ application whitelisting to restrict execution of unauthorized binaries and scripts, especially those invoking PowerShell or loading DLLs from unusual locations. Monitor Windows Registry changes indicative of persistence mechanisms used by PlugX. Utilize network traffic analysis to detect communications with known malicious infrastructure such as cloudfront.net subdomains. Establish incident response playbooks tailored to this threat’s tactics, techniques, and procedures (TTPs). Finally, collaborate with national cybersecurity agencies and share threat intelligence to enhance detection and response across affected sectors.