Cyberspies linked to the Chinese government exploited a Windows shortcut vulnerability revealed in March – but which Microsoft has yet to patch – to target European diplomats in an attempt to steal defense and national security information.
Security firm Arctic Wolf attributed the spying campaign to UNC6384 (aka Mustang Panda, Twill Typhoon) and, in a study released Thursday, detailed how suspected PRC spies used social engineering and the Windows vulnerability to deploy PlugX malware against staff attending diplomatic conferences in September and October.
“This campaign demonstrates the ability of UNC6384 to rapidly adopt a vulnerability within six months of public disclosure, advanced social engineering leveraging detailed knowledge of diplomatic calendars and event themes, and an operational expansion of traditional targeting from Southeast Asia to European diplomatic entities,” the Arctic Wolf Labs threat research team said.
UNC6384 is an alleged Beijing-backed crew that, according to Google’s Threat Intelligence Group, targeted diplomats in Southeast Asia earlier this year before ultimately deploying the PlugX backdoor — a long-time favorite of Beijing-backed goon squads that allows them to remotely access and control infected machines, steal files, and deploy additional malware.
In its latest campaign, UNC6384 targeted diplomats in Belgium, Hungary, Italy and the Netherlands, as well as Serbian government aviation departments in September and October 2025, according to Arctic Wolf.
Zero Day Initiative threat hunter Peter Girnus discovered and reported the flaw to Microsoft in March, and said it had been abused as Zero Day as early as 2017, with 11 state-sponsored groups from North Korea, Iran, Russia and China abusing ZDI-CAN-25373 for cyberespionage and data theft.
Blame ZDI-CAN-25373
The attacks start with phishing emails using very specific thematic lures around European defense and security cooperation and the development of cross-border infrastructure. These emails delivered a weaponized LNK file that exploited ZDI-CAN-25373 (aka CVE-2025-9491), a Windows shortcut vulnerability, to allow attackers to secretly execute commands by adding whitespace padding to the COMMAND_LINE_ARGUMENTS structure of the LNK file.
Malicious files, like the one named Agenda_Meeting 26 Sep Brussels.lnk, use diplomatic conference themes as lures with a decoy PDF document, in this case displaying a real agenda of a European Commission meeting aimed at facilitating the free movement of goods at border crossing points between the EU and Western Balkan countries.
The LNK file, when executed, invokes PowerShell to decode and extract a tar archive (tape archive) containing three files to enable the attack chain via DLL sideloading, a malware delivery technique favored by several Chinese government teams, including Salt Typhoon.
DLL sideloading exploits the search order of Windows DLLs by tricking an application into loading a malicious DLL instead of a legitimate DLL.
All three files include a legitimate, but expired, Canon printer support utility with a valid digital signature issued by Symantec. Although the certificate expired in April 2018, Windows trusts binaries whose signatures include a valid timestamp, allowing attackers to bypass security tools and distribute malware using DLL sideloading.
The malicious DLL functions as a loader to decrypt and execute the third file in the archive, cnmplog.dat, which contains the encrypted PlugX payload.
PlugX, which has been around since at least 2008, is a remote access Trojan (RAT) that provides attackers with all the functionality of remote access, including command execution, keylogging, file downloading, persistent access, and system reconnaissance.
“This three-step execution flow completes the deployment of PlugX malware executing stealthily within a legitimate signed process, significantly reducing the likelihood of detection by endpoint security solutions,” the researchers wrote.
Microsoft did not immediately respond to The register‘s on Chinese and other nation states operating ZDI-CAN-25373, nor if or when it plans to patch the security flaw.®