Redazione RHC : 4 November 2025 15:27
The China-linked hacker group UNC6384 ( also known as Mustang Panda ) is conducting a large-scale cyberespionage campaign targeting European diplomatic and government agencies.
According to Arctic Wolf and StrikeReady , hackers are exploiting an unpatched Windows vulnerability related to LNK shortcuts. The attacks were recorded in Hungary, Belgium, Italy, the Netherlands, and Serbia between September and October 2025.
According to researchers, the attacks begin with targeted phishing emails containing URLs to malicious LNK files. The subject lines of these emails typically refer to NATO defense procurement workshops, European Commission meetings on border facilitation, and other multilateral diplomatic events.
The malicious files exploit the CVE-2025-9491 vulnerability (CVSS score 7.0) in Windows shortcut handling. This flaw allows malicious command line arguments to be hidden within .LNK files by using whitespace indentation in the COMMAND_LINE_ARGUMENTS structure. This allows arbitrary code execution on vulnerable devices without the user’s knowledge.
When a victim opens such a file, a PowerShell command is executed that decrypts and extracts the contents of the TAR archive , simultaneously displaying a decoded PDF to the user. The archive contains a legitimate Canon Printer Assistant utility, a malicious DLL called CanonStager , and an encrypted PlugX malware payload (cnmplog.dat), distributed via DLL sideloading.
PlugX ( also known as Destroy RAT, Kaba, Korplug, SOGU, and TIGERPLUG ) is a remote access Trojan that gives hackers complete control over an infected system. The malware can execute commands, intercept keystrokes, upload and download files, persist on the system by modifying the Windows registry, and perform in-depth reconnaissance.
PlugX’s modular architecture allows its operators to expand the Trojan’s functionality through plugins designed for specific tasks. The malware also uses anti-analysis and anti-debugging techniques to complicate analysis and remain undetected.
According to Arctic Wolf researchers, an evolution in the attackers’ toolkit has been documented: the size of CanonStager artifacts has reduced from 700 KB to 4 KB , indicating active development and minimizing their digital footprint. Additionally, in early September, the group reportedly began using HTML Application (HTA) files to load JavaScript code that retrieves payloads from the cloudfront[.]net subdomain.
It’s worth noting that the CVE-2025-9491 vulnerability has existed since at least 2017 and has been actively exploited by numerous hacker groups. Exploitation of this bug was first publicly reported in March 2025. At the time, Trend Micro analysts discovered that the vulnerability was being widely exploited by eleven “government” hacker groups and other cybercriminals, including Evil Corp, APT43 (Kimsuky), Bitter, APT37, Mustang Panda, SideWinder, RedHotel, and Konni.
However, despite widespread exploitation, Microsoft developers have not yet released a patch for CVE-2025-9491. In March, company representatives stated that they would “consider addressing the issue,” but emphasized that the vulnerability did not require immediate attention. Microsoft also emphasized that Defender has detection tools to block such activity and that Smart App Control provides additional protection.
Since there is no official patch yet, Arctic Wolf recommends limiting or blocking the use of LNK files in Windows , blocking connections to the hacker control infrastructure discovered by researchers, and strengthening monitoring of suspicious network activity.
Redazione