China’s UNC6384 Strikes Again: Unpatched Windows Flaw Exploited in Europe!

UNC6384, a China-linked threat actor, targets European diplomats with phishing emails to exploit a Windows shortcut vulnerability. Using sneaky LNK files, they deploy PlugX malware, offering remote access and spy capabilities. It’s like the James Bond of malware—minus the tuxedo, more DLL side-loading and less martinis. Stay alert, Europe!

3P
Published: October 31, 2025 3:06 pmAdded: October 31, 2025 at 8:22 amAssembled by: The Editor
Pro Dashboard

Hot Take:

Looks like UNC6384 is taking a page out of the “How to Annoy European Diplomats” playbook. With a penchant for phishing and a love for DLL side-loading, they’re making malware deployment look like an art form. If only they could use their powers for good and invent a new pastry instead of a digital headache. But alas, we’ll stick with croissants and cyber threats.

Key Points:

  • China-affiliated threat actor UNC6384 is exploiting an unpatched Windows shortcut vulnerability.
  • Targets include European diplomatic and government entities, with a focus on countries like Hungary and Belgium.
  • The attack involves spear-phishing emails and a multi-stage deployment of PlugX malware.
  • The vulnerability, known as CVE-2025-9491, allows hidden execution of malicious commands.
  • UNC6384’s tactics include using HTML Applications and cloud services to deliver payloads stealthily.

Diplomats in the Crosshairs

If you thought diplomacy was all about fancy dinners and handshakes, think again. UNC6384 is putting the “cyber” in cyber diplomacy with a new wave of attacks targeting European diplomatic bodies. By exploiting a Windows shortcut vulnerability, they’re delivering more than just emails to inboxes – they’re dropping malicious payloads like it’s hot! The attack chain is a masterclass in multi-stage mayhem, using spear-phishing emails to kick off a digital dance that ends with the deployment of PlugX malware. It’s like a never-ending game of “catch me if you can” but with a lot more coding and a lot less Leo DiCaprio.

Phishing for Trouble

The attack begins with a classic phishing expedition, hooking targets with emails that look like they belong in a James Bond film. These emails dangle enticing subjects like European Commission meetings and NATO workshops. But instead of James Bond, you get a sneaky LNK file ready to exploit the ZDI-CAN-25373 vulnerability. It’s the cyber equivalent of being lured into a van with promises of free candy – except the candy is a TAR archive, and the van is a compromised PC.

The Malware Symphony

Once the LNK file works its magic, it’s time for the malware orchestra to take the stage. The show features a PowerShell command that decodes and extracts a TAR archive, revealing a legitimate Canon utility, a malicious DLL, and the notorious PlugX payload. This malware ensemble has it all: command execution, keylogging, and a modular architecture that would make a Swiss Army knife jealous. It’s like someone turned a Trojan horse into a full-fledged Trojan symphony.

PlugX Marks the Spot

PlugX, the malware star of the show, is no stranger to the spotlight. Known by many names, including Destroy RAT and TIGERPLUG, PlugX offers comprehensive remote access capabilities. Think of it as the Swiss Army knife of malware, but with more persistence and less utility. It’s got anti-analysis tricks up its sleeve, ensuring it can fly under the radar and keep its operators plugged into the victim’s system for as long as they please.

Stealth Mode: Activated

As if being sneaky wasn’t enough, UNC6384 is refining its malware delivery techniques. They’ve downsized their CanonStager artifacts from 700 KB to a mere 4 KB, proving that size doesn’t matter when it comes to digital espionage. In a further show of sophistication, they’re using HTML Applications to load external JavaScript and retrieve payloads from cloud services. It’s like ordering a stealth bomber off the internet – just add to cart and watch your payloads fly.

Strategic Espionage FTW

UNC6384’s focus on European diplomatic entities isn’t just for fun – it’s a strategic move aligned with PRC’s intelligence interests. By targeting defense cooperation and policy coordination, they’re aiming to gather intel on European alliances and initiatives. It’s cyber espionage with a geopolitical twist, and it’s making European diplomats wish they could go back to simpler times – like when they only had to worry about what fork to use at state dinners.

With UNC6384’s antics continuing to evolve, it’s clear that the cyber world is anything but boring. As long as there are vulnerabilities to exploit and diplomats to target, UNC6384 will be there, lurking in the digital shadows and making sure no email goes unread and no shortcut goes unexploited.

Membership Required

 You must be a member to access this content.

View Membership Levels
Already a member? Log in here
The Nimble Nerd
powered by the NSA, er,  GDPR Cookie Compliance
Confessional Booth of Our Digital Sins

Okay, deep breath, let's get this over with. In the grand act of digital self-sabotage, we've littered this site with cookies. Yep, we did that. Why? So your highness can have a 'premium' experience or whatever. These traitorous cookies hide in your browser, eagerly waiting to welcome you back like a guilty dog that's just chewed your favorite shoe. And, if that's not enough, they also tattle on which parts of our sad little corner of the web you obsess over. Feels dirty, doesn't it?