Full Report
A China-affiliated threat actor known as UNC6384 has been linked to a fresh set of attacks exploiting an unpatched Windows shortcut vulnerability to target European diplomatic and government entities between September and October 2025. The activity targeted diplomatic organizations in Hungary, Belgium, Italy, and the Netherlands, as well as government agencies in Serbia, Arctic Wolf said in a
Analysis Summary
# Threat Actor: UNC6384
## Attribution & Identity
* **Primary Identifier:** UNC6384
* **Affiliation:** China-affiliated threat actor.
* **Associated Groups:** Cluster demonstrates tactical and tooling overlaps with the hacking group **Mustang Panda**.
## Activity Summary
UNC6384 was linked to a fresh set of attacks executed between September and October 2025. These attacks specifically targeted European diplomatic and government entities using a newly exploited, unpatched Windows shortcut vulnerability. The campaign utilized spear-phishing emails with diplomatic lures (themed around European Commission meetings, NATO-related workshops, etc.) designed to trick recipients into opening malicious LNK files. The ultimate goal of the activity appears to be espionage/intelligence gathering, evidenced by the deployment of the PlugX remote access trojan.
## Tactics, Techniques & Procedures
* **Initial Access:** Spear-phishing emails containing malicious embedded URLs leading to LNK files.
* **Exploitation:** Exploiting the unpatched Windows shortcut vulnerability tracked as **ZDI-CAN-25373** (equivalent to **CVE-2025-9491**).
* **Execution Chain:** The LNK file triggers a multi-stage attack chain:
1. Launches a PowerShell command.
2. The PowerShell command decodes and extracts the contents of a TAR archive while displaying a decoy PDF document.
3. The archive contains a legitimate Canon printer utility, a malicious DLL (**CanonStager**), and an encrypted PlugX payload (**cnmplog.dat**).
4. **DLL Side-Loading:** CanonStager is sideloaded using the legitimate Canon binary.
* **Payload Delivery:** Delivers the **PlugX** Remote Access Trojan (RAT), also referred to as Destroy RAT, Kaba, Korplug, SOGU, and TIGERPLUG (the memory-resident variant SOGU.SEC was also previously observed).
* **Persistence:** Achieved via a Windows Registry modification.
* **Capabilities:** Comprehensive remote access, including command execution, keylogging, file upload/download, and system reconnaissance.
* **Evasion/Refinement:**
* Employs anti-analysis and anti-debugging checks.
* Observed attempting to minimize forensic footprint; artifact sizes (CanonStager) decreased significantly from ~700 KB to 4 KB during the campaign window (Sep-Oct 2025).
* In early September, the actor leveraged an **HTML Application (HTA) file** to load an external JavaScript, which retrieved payloads from a cloudfront[.]net subdomain.
## Targeting
* **Sectors:** Diplomatic organizations and Government agencies.
* **Geography:** Europe.
* **Victims:** Diplomatic organizations in Hungary, Belgium, Italy, and the Netherlands; Government agencies in Serbia.
## Tools & Infrastructure
* **Malware Families Used:**
* **PlugX** (Remote Access Trojan/RAT), variations include SOGU.SEC, Destroy RAT, Kaba, Korplug, TIGERPLUG.
* Custom DLL: **CanonStager**.
* Encrypted Payload: **cnmplog.dat**.
* **Infrastructure:**
* Leveraged **cloudfront[.]net** subdomains in early September for payload retrieval.
## Implications
UNC6384 demonstrates a consistent focus on exploiting critical vulnerabilities (ZDI-CAN-25373 / CVE-2025-9491) to target sensitive geopolitical entities within Europe. The rapid evolution shown by the reduction in artifact size and the adoption of HTA delivery methods indicates active development and a sophisticated approach to remaining covert. The use of PlugX confirms an objective of maintaining long-term remote access for likely intelligence collection.
## Mitigations
* Patch or mitigate the Windows shortcut vulnerability (**CVE-2025-9491** / ZDI-CAN-25373) immediately, as it continues to be exploited by various actors.
* Implement robust email filtering and anti-phishing training, specifically warning against lures related to diplomatic/NATO events.
* Monitor for DLL side-loading activities involving legitimate utilities like printer assistants alongside suspicious DLLs.
* Monitor for PowerShell execution designed to decode and launch payloads from archives.
* Utilize advanced endpoint detection to look for registry modifications associated with persistence mechanisms used by PlugX variants.