UNC6384 Weaponizes ZDI-CAN-25373 Vulnerability to Deploy PlugX Against Hungarian and Belgian Diplomatic Entities
The Chinese-affiliated threat actor UNC6384 is exploiting the ZDI-CAN-25373 Windows vulnerability to deploy PlugX malware targeting European diplomatic entities, specifically in Hungary and Belgium. The attack vector involves spearphishing emails with malicious LNK files themed around diplomatic conferences. The campaign uses DLL side-loading of legitimate Canon printer utilities to evade detection and maintain persistence. UNC6384’s operations have expanded from Southeast Asia to Europe, focusing on espionage related to foreign policy, defense, and economic matters. This campaign demonstrates advanced social engineering and rapid exploitation of new vulnerabilities. The malware provides persistent remote access for intelligence gathering. No known public exploits exist yet, but the threat is active and targeted. The medium severity rating reflects the targeted nature and complexity of the attack. European diplomatic organizations should prioritize mitigation to protect sensitive information and maintain operational security.
AI Analysis
Technical Summary
UNC6384, a Chinese-affiliated cyber espionage group, has weaponized the ZDI-CAN-25373 vulnerability in Windows to conduct targeted attacks against European diplomatic entities, primarily in Hungary and Belgium. This vulnerability, while not detailed in the provided information, is exploited via spearphishing emails containing malicious LNK shortcut files that serve as the initial infection vector. The attackers leverage DLL side-loading techniques involving legitimate Canon printer utilities, a method that allows the malicious PlugX malware to execute under the guise of trusted software, thereby bypassing traditional security controls and evading detection. PlugX is a well-known remote access trojan (RAT) that facilitates persistent access, data exfiltration, and intelligence collection. UNC6384’s campaign is notable for its use of diplomatic conference themes in spearphishing lures, indicating careful social engineering tailored to the target audience. The group’s expansion from Southeast Asia into Europe signals a strategic shift and an increased focus on European diplomatic targets. The campaign aims to gather sensitive intelligence on foreign policy, defense cooperation, and economic issues, reflecting the strategic interests of the threat actor. Despite the absence of publicly known exploits for ZDI-CAN-25373, the group’s rapid adoption and weaponization of this vulnerability underscore their operational agility. The attack chain involves multiple tactics and techniques, including TTPs such as DLL side-loading, spearphishing, and persistence mechanisms, which complicate detection and remediation efforts.
Potential Impact
For European organizations, particularly diplomatic missions and government entities in Hungary and Belgium, this threat poses significant risks to confidentiality and operational security. Successful exploitation can lead to unauthorized access to sensitive diplomatic communications, strategic policy discussions, and economic data, potentially undermining national security and diplomatic relations. The persistent nature of PlugX malware allows long-term espionage, increasing the risk of extensive data exfiltration and compromise of multiple systems. The use of legitimate software for DLL side-loading complicates detection, increasing the likelihood of prolonged undetected presence. Additionally, the targeting of diplomatic entities may have broader geopolitical implications, potentially affecting trust and cooperation between European nations and their partners. The campaign’s focus on high-value targets means that the impact extends beyond individual organizations to national and regional security interests.
Mitigation Recommendations
European diplomatic entities should implement targeted defenses beyond generic advice. First, enforce strict email filtering and attachment handling policies to detect and block spearphishing attempts, especially those involving LNK files. Deploy advanced endpoint detection and response (EDR) solutions capable of identifying DLL side-loading behaviors and anomalous use of legitimate Canon printer utilities. Conduct regular threat hunting focused on PlugX indicators and monitor for unusual network traffic indicative of data exfiltration. Apply the latest Windows security updates and patches promptly, even though no direct patch link is provided, to reduce exposure to ZDI-CAN-25373 and related vulnerabilities. Implement application whitelisting to restrict execution of unauthorized binaries and DLLs. Conduct user awareness training emphasizing the risks of spearphishing and social engineering, tailored to diplomatic staff. Network segmentation should isolate sensitive systems to limit lateral movement. Finally, establish incident response plans specific to espionage threats and collaborate with national cybersecurity agencies for threat intelligence sharing and coordinated defense.
Affected Countries
Hungary, Belgium
Indicators of Compromise
- hash: 0538e73fc195c3b4441721d4c60d0b96
- hash: 0a02938e088b74fe6be2f10bb9133f2a
- hash: 0a84f981ca86ae682bb8f0bdc2c70bff
- hash: 0d0dd1cbde02e4e138c352b82a0288cc
- hash: 1263bb047f3a83fc6dc90aaf362b34d2
- hash: 17a6748f8e3def110c6ab1ea8daab4c7
- hash: 1b2e4e7143b779e3ab0dd5cb40d9d4c3
- hash: 1bf838a666d37750b36321f182dd07da
- hash: 2226d3e8843b3e2c228da3a3fdc56e7b
- hash: 227045c5c5c47259647f280bee8fe243
- hash: 80639fb809c24ab2f12ea7c4da167862
- hash: 8720bfc31e1848e788f3ad1175be1195
- hash: 93f4ef07fd4d202fc95e13878b43dd64
- hash: b626001d7cd968ab3b8caf87a0ef4666
- hash: bf98c36b522a909d8ca320477aa6a885
- hash: c83468e7ad2279c4e6344cc09b76cdc0
- hash: dc1dba02ab1020e561166aee3ee8f5fb
- hash: e78d4f1f53123ceffedac6d4698438b9
- hash: f15c9d7385cffd1d04e54c5ffdb76526
- hash: f1f4b62bafea43e50c459574babe5f0a
- hash: f2d1fa1890e409996ed4a23bc69461fe
- hash: f4b1a1516c99a196cd4d6af18f611766
- hash: 041a2e52944e51d5ee1e115123961257ad255fd1
- hash: 3e37106bbc1e19e3e1376321240f14bba75c8b27
- hash: 46a530dd71b20a2b3f30b411dbe86f48e3d07750
- hash: 4a67d5226945e44737e8497c09357374f39c0fb8
- hash: 572fc5774568e536f956a002e67ade23af19b034
- hash: 596b582169f5d65c4791477a61099c03fbb63a41
- hash: 62faeb7893b4ac116ba970f889e00c8da75676fb
- hash: 758304404d790a30e409909111f69e9fa8d75c20
- hash: 7f5d586a0b3c941def4f9563d141d793792a2d52
- hash: 9c38f0b44eb206680835ef7c3d65ee571db044d9
- hash: 9cfd4361278e7ea02bd3ffc6749edd6cde089480
- hash: a019aaa7b90bca17ef8f9910db3ad7c0a3c2afe4
- hash: a502b7879e89bc1853469dcf01b91e29a9b3155b
- hash: ac81c996275f0b1b08f7244eea21fe2b851aa705
- hash: baa569318144905563b469a5a006ad54eb616a02
- hash: c6a4cf04929aecc8b27b77f6e510b6f0633ca0bf
- hash: f3ea33e4b82c5c14d3a5b224126d19aa57e843a6
- hash: f9dd7f8846dc10164b348cfdf878a611c79e4c00
- hash: 1564e19b36ffc4e12becc4fb73359de13191ac8df62def45f045efbd6ef36e79
- hash: 218ed813d8a4d9d05473338795021c66012cd6c36368561d3aaf831a5c494740
- hash: 262a1003a2cd04993b29e687686eba573d6202fea8611c437ecbd6312802677a
- hash: 274adf7f60e0799b157e7524d503d345f6870010703fb6b56a3dd1e62b4de3e8
- hash: 3fe6443d464f170f13d7f484f37ca4bcae120d1007d13ed491f15427d9a7121f
- hash: 4ed76fa68ef9e1a7705a849d47b3d9dcdf969e332bd5bcb68138579c288a16d3
- hash: 716637a424bce58ff8c75e40b6e29c33318ff185af6e9e62d85b61e56a560eac
- hash: 7168838787039d82961836e5f2f9c70f3fe7c4d99a6c7c61405b3364ce37e760
- hash: 7a49310a9192cab1aa05256b6ca0d0c1a54fe084b103ff4df2d17be9effa3300
- hash: 911cccd238fbfdb4babafc8d2582e80dcfa76469fa1ee27bbc5f4324d5fca539
- hash: a7d12712673a4e3b6d62a9d84f124e62689da12f0a3ee6009369ecf469ce8182
- hash: ae8d2cef8eac099f892e37cc50825d329459baa9625b71fb6f4b7e8f33c6ccce
- hash: bb491248bb8f6067af39e196b11f4e408a7a3885704cadbd4266db52ae4b03e2
- hash: c3b7abcb583b90559af973dd18bf5ccba48d3323e5e2e8bc0b11ff54425e34dd
- hash: c9128d72de407eede1dd741772b5edfd437e006a161eecfffdf27b2483b33fc7
- hash: c96338533d0ab4de8201ce1f793e9ea18d30c6179daf1e312e0f01aff8f50415
- hash: d70600f0e4367e6e3e07f7b965b654e5bfbcb0afbccfe0f6a9a8d9f69c7061a3
- hash: e53bc08e60af1a1672a18b242f714486ead62164dda66f32c64ddc11ffe3f0df
- hash: ee9295fa36e29808ff36beb55be328b68d82f267d2faa54db26e0bf86b78fa56
- hash: f04340f93e2f5f7d6d5521572f17c5b80f39984ee6b4b8c0899380e95a825127
- hash: f8d03814986599ed98ce8c83fbc9ce55b83095c179c54ec555c4ab372fa99700
- hash: 78017873acc55e2a664c0187dfb503392e242cdb
- hash: 8e7628ea65640b25f8708232f485129584e785c2
- hash: f380ec15f81e79330bf443d4c4a9d6867c4e85de
- domain: cseconline.org
- domain: dorareco.net
- domain: naturadeco.net
- domain: paquimetro.net
- domain: racineupci.org
UNC6384 Weaponizes ZDI-CAN-25373 Vulnerability to Deploy PlugX Against Hungarian and Belgian Diplomatic Entities
Description
The Chinese-affiliated threat actor UNC6384 is exploiting the ZDI-CAN-25373 Windows vulnerability to deploy PlugX malware targeting European diplomatic entities, specifically in Hungary and Belgium. The attack vector involves spearphishing emails with malicious LNK files themed around diplomatic conferences. The campaign uses DLL side-loading of legitimate Canon printer utilities to evade detection and maintain persistence. UNC6384’s operations have expanded from Southeast Asia to Europe, focusing on espionage related to foreign policy, defense, and economic matters. This campaign demonstrates advanced social engineering and rapid exploitation of new vulnerabilities. The malware provides persistent remote access for intelligence gathering. No known public exploits exist yet, but the threat is active and targeted. The medium severity rating reflects the targeted nature and complexity of the attack. European diplomatic organizations should prioritize mitigation to protect sensitive information and maintain operational security.
AI-Powered Analysis
Technical Analysis
UNC6384, a Chinese-affiliated cyber espionage group, has weaponized the ZDI-CAN-25373 vulnerability in Windows to conduct targeted attacks against European diplomatic entities, primarily in Hungary and Belgium. This vulnerability, while not detailed in the provided information, is exploited via spearphishing emails containing malicious LNK shortcut files that serve as the initial infection vector. The attackers leverage DLL side-loading techniques involving legitimate Canon printer utilities, a method that allows the malicious PlugX malware to execute under the guise of trusted software, thereby bypassing traditional security controls and evading detection. PlugX is a well-known remote access trojan (RAT) that facilitates persistent access, data exfiltration, and intelligence collection. UNC6384’s campaign is notable for its use of diplomatic conference themes in spearphishing lures, indicating careful social engineering tailored to the target audience. The group’s expansion from Southeast Asia into Europe signals a strategic shift and an increased focus on European diplomatic targets. The campaign aims to gather sensitive intelligence on foreign policy, defense cooperation, and economic issues, reflecting the strategic interests of the threat actor. Despite the absence of publicly known exploits for ZDI-CAN-25373, the group’s rapid adoption and weaponization of this vulnerability underscore their operational agility. The attack chain involves multiple tactics and techniques, including TTPs such as DLL side-loading, spearphishing, and persistence mechanisms, which complicate detection and remediation efforts.
Potential Impact
For European organizations, particularly diplomatic missions and government entities in Hungary and Belgium, this threat poses significant risks to confidentiality and operational security. Successful exploitation can lead to unauthorized access to sensitive diplomatic communications, strategic policy discussions, and economic data, potentially undermining national security and diplomatic relations. The persistent nature of PlugX malware allows long-term espionage, increasing the risk of extensive data exfiltration and compromise of multiple systems. The use of legitimate software for DLL side-loading complicates detection, increasing the likelihood of prolonged undetected presence. Additionally, the targeting of diplomatic entities may have broader geopolitical implications, potentially affecting trust and cooperation between European nations and their partners. The campaign’s focus on high-value targets means that the impact extends beyond individual organizations to national and regional security interests.
Mitigation Recommendations
European diplomatic entities should implement targeted defenses beyond generic advice. First, enforce strict email filtering and attachment handling policies to detect and block spearphishing attempts, especially those involving LNK files. Deploy advanced endpoint detection and response (EDR) solutions capable of identifying DLL side-loading behaviors and anomalous use of legitimate Canon printer utilities. Conduct regular threat hunting focused on PlugX indicators and monitor for unusual network traffic indicative of data exfiltration. Apply the latest Windows security updates and patches promptly, even though no direct patch link is provided, to reduce exposure to ZDI-CAN-25373 and related vulnerabilities. Implement application whitelisting to restrict execution of unauthorized binaries and DLLs. Conduct user awareness training emphasizing the risks of spearphishing and social engineering, tailored to diplomatic staff. Network segmentation should isolate sensitive systems to limit lateral movement. Finally, establish incident response plans specific to espionage threats and collaborate with national cybersecurity agencies for threat intelligence sharing and coordinated defense.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://arcticwolf.com/resources/blog/unc6384-weaponizes-zdi-can-25373-vulnerability-to-deploy-plugx"]
- Adversary
- UNC6384
- Pulse Id
- 690474cfdaff6b0b244d228b
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash0538e73fc195c3b4441721d4c60d0b96 | — | |
hash0a02938e088b74fe6be2f10bb9133f2a | — | |
hash0a84f981ca86ae682bb8f0bdc2c70bff | — | |
hash0d0dd1cbde02e4e138c352b82a0288cc | — | |
hash1263bb047f3a83fc6dc90aaf362b34d2 | — | |
hash17a6748f8e3def110c6ab1ea8daab4c7 | — | |
hash1b2e4e7143b779e3ab0dd5cb40d9d4c3 | — | |
hash1bf838a666d37750b36321f182dd07da | — | |
hash2226d3e8843b3e2c228da3a3fdc56e7b | — | |
hash227045c5c5c47259647f280bee8fe243 | — | |
hash80639fb809c24ab2f12ea7c4da167862 | — | |
hash8720bfc31e1848e788f3ad1175be1195 | — | |
hash93f4ef07fd4d202fc95e13878b43dd64 | — | |
hashb626001d7cd968ab3b8caf87a0ef4666 | — | |
hashbf98c36b522a909d8ca320477aa6a885 | — | |
hashc83468e7ad2279c4e6344cc09b76cdc0 | — | |
hashdc1dba02ab1020e561166aee3ee8f5fb | — | |
hashe78d4f1f53123ceffedac6d4698438b9 | — | |
hashf15c9d7385cffd1d04e54c5ffdb76526 | — | |
hashf1f4b62bafea43e50c459574babe5f0a | — | |
hashf2d1fa1890e409996ed4a23bc69461fe | — | |
hashf4b1a1516c99a196cd4d6af18f611766 | — | |
hash041a2e52944e51d5ee1e115123961257ad255fd1 | — | |
hash3e37106bbc1e19e3e1376321240f14bba75c8b27 | — | |
hash46a530dd71b20a2b3f30b411dbe86f48e3d07750 | — | |
hash4a67d5226945e44737e8497c09357374f39c0fb8 | — | |
hash572fc5774568e536f956a002e67ade23af19b034 | — | |
hash596b582169f5d65c4791477a61099c03fbb63a41 | — | |
hash62faeb7893b4ac116ba970f889e00c8da75676fb | — | |
hash758304404d790a30e409909111f69e9fa8d75c20 | — | |
hash7f5d586a0b3c941def4f9563d141d793792a2d52 | — | |
hash9c38f0b44eb206680835ef7c3d65ee571db044d9 | — | |
hash9cfd4361278e7ea02bd3ffc6749edd6cde089480 | — | |
hasha019aaa7b90bca17ef8f9910db3ad7c0a3c2afe4 | — | |
hasha502b7879e89bc1853469dcf01b91e29a9b3155b | — | |
hashac81c996275f0b1b08f7244eea21fe2b851aa705 | — | |
hashbaa569318144905563b469a5a006ad54eb616a02 | — | |
hashc6a4cf04929aecc8b27b77f6e510b6f0633ca0bf | — | |
hashf3ea33e4b82c5c14d3a5b224126d19aa57e843a6 | — | |
hashf9dd7f8846dc10164b348cfdf878a611c79e4c00 | — | |
hash1564e19b36ffc4e12becc4fb73359de13191ac8df62def45f045efbd6ef36e79 | — | |
hash218ed813d8a4d9d05473338795021c66012cd6c36368561d3aaf831a5c494740 | — | |
hash262a1003a2cd04993b29e687686eba573d6202fea8611c437ecbd6312802677a | — | |
hash274adf7f60e0799b157e7524d503d345f6870010703fb6b56a3dd1e62b4de3e8 | — | |
hash3fe6443d464f170f13d7f484f37ca4bcae120d1007d13ed491f15427d9a7121f | — | |
hash4ed76fa68ef9e1a7705a849d47b3d9dcdf969e332bd5bcb68138579c288a16d3 | — | |
hash716637a424bce58ff8c75e40b6e29c33318ff185af6e9e62d85b61e56a560eac | — | |
hash7168838787039d82961836e5f2f9c70f3fe7c4d99a6c7c61405b3364ce37e760 | — | |
hash7a49310a9192cab1aa05256b6ca0d0c1a54fe084b103ff4df2d17be9effa3300 | — | |
hash911cccd238fbfdb4babafc8d2582e80dcfa76469fa1ee27bbc5f4324d5fca539 | — | |
hasha7d12712673a4e3b6d62a9d84f124e62689da12f0a3ee6009369ecf469ce8182 | — | |
hashae8d2cef8eac099f892e37cc50825d329459baa9625b71fb6f4b7e8f33c6ccce | — | |
hashbb491248bb8f6067af39e196b11f4e408a7a3885704cadbd4266db52ae4b03e2 | — | |
hashc3b7abcb583b90559af973dd18bf5ccba48d3323e5e2e8bc0b11ff54425e34dd | — | |
hashc9128d72de407eede1dd741772b5edfd437e006a161eecfffdf27b2483b33fc7 | — | |
hashc96338533d0ab4de8201ce1f793e9ea18d30c6179daf1e312e0f01aff8f50415 | — | |
hashd70600f0e4367e6e3e07f7b965b654e5bfbcb0afbccfe0f6a9a8d9f69c7061a3 | — | |
hashe53bc08e60af1a1672a18b242f714486ead62164dda66f32c64ddc11ffe3f0df | — | |
hashee9295fa36e29808ff36beb55be328b68d82f267d2faa54db26e0bf86b78fa56 | — | |
hashf04340f93e2f5f7d6d5521572f17c5b80f39984ee6b4b8c0899380e95a825127 | — | |
hashf8d03814986599ed98ce8c83fbc9ce55b83095c179c54ec555c4ab372fa99700 | — | |
hash78017873acc55e2a664c0187dfb503392e242cdb | — | |
hash8e7628ea65640b25f8708232f485129584e785c2 | — | |
hashf380ec15f81e79330bf443d4c4a9d6867c4e85de | — |
Domain
| Value | Description | Copy |
|---|---|---|
domaincseconline.org | — | |
domaindorareco.net | — | |
domainnaturadeco.net | — | |
domainpaquimetro.net | — | |
domainracineupci.org | — |
Threat ID: 69047c9e189d660333cf0809
Added to database: 10/31/2025, 9:08:46 AM
Last enriched: 10/31/2025, 9:09:05 AM
Last updated: 10/31/2025, 10:35:36 PM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
Russia Arrests Meduza Stealer Developers After Government Hack
MediumOperation SkyCloak: Tor Campaign targets Military of Russia & Belarus
MediumIn Other News: WhatsApp Passkey-Encrypted Backups, Russia Targets Meduza Malware, New Mastercard Solution
MediumUkrainian Conti Ransomware Suspect Extradited to US from Ireland
MediumFrom Brazil with Love: New Tactics from Lampion
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.