A threat actor affiliated with China’s intelligence interests, tracked as UNC6384, has exploited an unpatched Windows vulnerability, CVE-2025-9491, to launch cyberespionage attacks against diplomatic personnel in Belgium, Hungary, and other European Union member states between September and October 2025.
The attack chain begins with spear phishing emails that carry a malicious link. Victims are drawn into a fake Microsoft login page that masquerades as a genuine credential check tied to European Commission meetings or NATO workshops. Once the target opens the link, a zipped file executes a malicious shortcut (.LNK) file. This file activates a PowerShell script that installs the PlugX remote-access trojan via DLL side-loading of a signed Canon printer assistant utility. A decoy PDF document appears on screen to distract the user while the malware operates silently.
Security researchers at Arctic Wolf Labs state with high confidence that UNC6384 is the force behind this campaign. Their assessment is based on overlaps in infrastructure, tactics and tooling with previously documented UNC6384 operations. While the group is tied to China’s broader espionage ecosystem, including Mustang Panda (also known as TEMP.Hex), the actors in this case are operating with a refined set of tools and stealth methods.
The vulnerability being exploited, CVE-2025-9491, was first identified by Trend Micro researchers in March 2025. It affects how Windows handles shortcut (.LNK) files and allows attackers to execute arbitrary code remotely. Microsoft acknowledged the flaw but classified it as not immediately warranting an emergency patch, a decision that critics say left many systems exposed.
Victims in this campaign include diplomats and governmental organisations across Europe. Although the full list of affected entities has not been publicly disclosed, the targeting of European diplomatic networks suggests a focus on gathering intelligence rather than simply financial gain. By gaining access to credentials, internal emails and network resources, the attackers could monitor communications, reposition for further intrusion and potentially enable disruption if needed.
Defending against a zero-day of this nature poses significant challenges because the intrusion begins with what appears to be a legitimate file or document. The use of built-in Windows tools, signed binaries, and minimal payloads allows attackers to evade many traditional security solutions that focus on malware signatures or known threats. For organisations in diplomatic, governmental or defence sectors, the incident underlines the importance of behaviour-based detection, strict application of least-privilege access and prompt patch management.
To protect networks effectively, specialists recommend prioritising the removal of internet-facing systems that handle sensitive credentials, enforcing multi-factor authentication across all accounts and maintaining strict monitoring of remote login activity. Rapid detection of external lateral movement, especially following the execution of unusual files or processes, becomes essential. With zero-day vulnerabilities, the window for exploitation often opens immediately after disclosure, meaning delays in patching or configuration changes dramatically increase risk.
The approach of UNC6384 marks a shift in state-linked cyber operations. Whereas earlier campaigns associated with the group or its affiliates often emphasised destructive outcomes, such as data wiping or infrastructure outages, the current activity focuses on stealthy access, credential theft and long-term presence. This change suggests the adversary is layering espionage and reconnaissance ahead of potential disruptive operations, and that defenders must assume persistent threats even when no immediate damage is visible.
For European diplomats and governmental organisations, the implications are serious. If unauthorised access continues unchecked, it could lead to prolonged monitoring of sensitive communications, compromise of intellectual property or positioning for future interference. Because diplomatic networks often interconnect with national security, defence and critical infrastructure systems, a breach of this type could form the foundation for broader strategic advantage.
While UNC6384 is the entity most closely tied to the campaign, attribution remains inherently complex, and neither the victims nor Microsoft have publicly confirmed the full scope of the intrusion. However, the documented evidence of shortcut exploits, DLL side-loading and PlugX deployment align strongly with patterns observed in previous Chinese-aligned operations. Organisations must therefore treat any suspicious shortcut, remote process or trusted application behaviour as potential indicators of compromise.
This incident is a reminder that even cutting-edge diplomatic environments remain vulnerable to advanced persistent threats equipped with zero-day tools. For defenders, the immediate priority is to close doors that zero-day actors exploit. Patching when possible, isolating assets, and monitoring for behavioural anomalies. A proactive stance, continual readiness and coordination between government, industry and international partners are now critical to maintaining diplomatic and cybersecurity resilience.