A new cyber espionage campaign has been uncovered targeting European diplomats using a sophisticated strain of PlugX malware. The operation has been attributed to a Chinese-affiliated threat group known as UNC6384, which exploited an unpatched Windows shortcut vulnerability tracked as CVE-2025-9491 (previously ZDI-CAN-25373). The attacks took place between September and October 2025 and primarily targeted diplomatic and government entities across Hungary, Belgium, Italy, the Netherlands, and Serbia.
Threat Summary Table
| Threat Actor | UNC6384 (China-linked) |
|---|---|
| Primary Malware | PlugX (Korplug, SOGU, Destroy RAT) |
| Vulnerability Exploited | CVE-2025-9491 (Windows Shortcut Vulnerability, ZDI-CAN-25373) |
| Targets | European diplomatic and government entities (Hungary, Belgium, Italy, Netherlands, Serbia) |
| Initial Access | Spear-phishing emails containing malicious LNK files |
| Payload Delivery | DLL side-loading using Canon printer utilities |
| Impact | Remote access, credential theft, data exfiltration, and persistent surveillance |
Overview of the Campaign
The PlugX malware campaign represents an evolution in UNC6384’s tactics. This group, linked to the People’s Republic of China, rapidly weaponized a Windows vulnerability disclosed in early 2025 to carry out targeted espionage against European institutions. The campaign relied heavily on social engineering, using spear-phishing emails disguised as legitimate invitations to European Commission meetings, NATO workshops, and multilateral diplomatic events.
These emails contained embedded URLs leading to malicious LNK files. When opened, the LNK files exploited CVE-2025-9491 to execute hidden PowerShell commands, deploy staged payloads, and eventually install PlugX through DLL side-loading. This approach allowed attackers to disguise their malware as trusted Canon printer utilities while maintaining persistence inside victim environments.
How the Windows Shortcut Exploit Works
The root cause of these intrusions lies in CVE-2025-9491, a high-severity Windows shortcut flaw that allows attackers to execute commands silently when a specially crafted .LNK file is opened. This vulnerability, which affects Windows 10 and Windows 11, has not yet been officially patched. Researchers found that the LNK files used by UNC6384 were designed with excess whitespace padding in the command-line argument structure, enabling malicious PowerShell execution under legitimate process contexts.
According to reports, this technique has been circulating since 2017 but was adapted by multiple threat actors in 2025, including UNC6384, XDSpy, and other espionage-focused groups. The Arctic Wolf research team confirmed that the exploit chain involved downloading and extracting a TAR archive that contained three files: a legitimate Canon utility, a malicious DLL named CanonStager, and an encrypted PlugX payload (cnmplog.dat).
Attack Chain and Technical Breakdown
The attack follows a multi-stage chain that ensures stealth and persistence:
- Stage 1: Victims receive phishing emails containing LNK files disguised as meeting agendas or workshop invites. The LNK files execute hidden PowerShell scripts that extract a TAR archive to the system’s temporary folder.
- Stage 2: The TAR archive contains a signed Canon printer assistant binary (cnmpaui.exe), a malicious DLL (cnmpaui.dll), and an encrypted PlugX payload (cnmplog.dat).
- Stage 3: The Canon binary loads the malicious DLL via side-loading, which then decrypts and injects PlugX directly into memory. This technique allows the malware to run under a legitimate, digitally signed process, evading detection.
The malware uses RC4 encryption for payload protection, employs anti-debugging techniques, and dynamically resolves Windows API calls to conceal its behavior. Once active, PlugX connects to its command and control (C2) servers using HTTPS over port 443, communicating with domains such as racineupci[.]org and dorareco[.]net.
PlugX Malware Capabilities
PlugX is one of the longest-running espionage tools in existence. Initially discovered in 2008, it remains a favorite among Chinese threat groups for its versatility and modular design. The malware enables full remote access to infected systems, allowing attackers to execute commands, exfiltrate files, capture keystrokes, and gather system intelligence.
Each campaign iteration of PlugX includes unique plugins for expanded capabilities. The version deployed by UNC6384 can install persistence via Windows registry entries, create hidden directories with deceptive names such as “SecurityScan” or “DellSetupFiles,” and transfer itself between directories to complicate forensic detection.
In this campaign, PlugX maintained stealth by operating entirely in memory, using a combination of obfuscated shellcode, control-flow flattening, and runtime string decryption. This made static analysis and reverse-engineering extremely difficult, even for advanced security teams.
UNC6384’s Connection to Chinese Espionage Operations
UNC6384 has been repeatedly associated with Chinese state-linked espionage efforts. It shares tooling, command and control infrastructure, and operational patterns with Mustang Panda, also known as TEMP.Hex. The group’s transition from Southeast Asian targeting to European diplomatic networks marks a significant expansion in its intelligence collection objectives.
The campaign’s focus on defense cooperation, cross-border policy coordination, and EU foreign affairs strongly aligns with the People’s Republic of China’s strategic interest in monitoring European alliance cohesion and military readiness. The use of realistic conference themes and official European Commission meeting details demonstrates UNC6384’s detailed reconnaissance and social engineering capabilities.
Indicators of Compromise
| File Name | Type | Description |
|---|---|---|
| Agenda_Meeting 26 Sep Brussels.lnk | LNK | Weaponized shortcut exploiting CVE-2025-9491 |
| cnmpaui.exe | Binary | Legitimate Canon utility used for DLL side-loading |
| cnmpaui.dll | DLL | Malicious loader that decrypts PlugX payload |
| cnmplog.dat | Data | Encrypted PlugX payload |
| racineupci[.]org | Domain | Command and control server |
| dorareco[.]net | Domain | Command and control server |
Mitigation Recommendations
Organizations, especially those involved in diplomacy, government, and international affairs, should immediately take the following precautions to mitigate the risks associated with PlugX and the CVE-2025-9491 exploit:
- Disable or limit automatic resolution of .LNK files from untrusted sources in Windows Explorer.
- Implement endpoint monitoring tools capable of detecting DLL side-loading and in-memory malware execution.
- Conduct file integrity checks to ensure no unauthorized Canon utilities or DLLs are present in unusual directories.
- Block known C2 domains (e.g., racineupci[.]org, dorareco[.]net, naturadeco[.]net) at the firewall or DNS layer.
- Apply strict network segmentation for systems handling diplomatic or policy-sensitive communications.
- Use updated antivirus and anti-malware solutions to detect and quarantine PlugX variants.
- Train staff on phishing awareness and security best practices to reduce initial compromise risk.
Outlook and Continued Risk
The PlugX campaign underscores the persistent threat of advanced espionage targeting global diplomatic networks. UNC6384’s rapid exploitation of a newly disclosed Windows vulnerability highlights the urgent need for coordinated patch management and proactive cybersecurity defense strategies across public and private sectors.
As PlugX continues to evolve, its adaptability and modular framework ensure it will remain an active threat in future campaigns. Continuous monitoring, network segmentation, and layered defense remain the most effective countermeasures against this long-standing espionage toolkit.
Leave a Comment