Full Report
Expired security cert, real Brussels agenda, plus PlugX malware finish the job Cyber spies linked to the Chinese government exploited a Windows shortcut vulnerability disclosed in March – but that Microsoft hasn't fixed yet – to target European diplomats in an effort to steal defense and national security details.…
Analysis Summary
# Threat Actor: UNC6384
## Attribution & Identity
* **Attribution:** Cyber spies linked to the Chinese government (suspected PRC actors).
* **Known Aliases:** Mustang Panda, Twill Typhoon.
## Activity Summary
* The actor conducted an espionage campaign targeting European diplomats during September and October 2025.
* The primary goal was to steal defense and national security details.
* This campaign demonstrates the group's ability to rapidly adopt newly disclosed vulnerabilities (within six months) and expand their operational focus from traditional Southeast Asia targeting to European entities.
## Tactics, Techniques & Procedures
* **Initial Access:** Exploitation of a Windows shortcut vulnerability (ZDI-CAN-25373 / CVE-2025-9491), which had not been patched by Microsoft at the time of the attack.
* **Social Engineering:** Used highly specific phishing emails leveraging themes related to European defense cooperation, security, and cross-border infrastructure development.
* **Execution:** Weaponized LNK files were delivered, exploiting the flaw by using whitespace padding in `COMMAND_LINE_ARGUMENTS` to execute commands secretly.
* **Payload Delivery:** The LNK file invoked PowerShell to decode and extract a tar archive containing components for DLL side-loading.
* **Defense Evasion/Delivery:** Utilized DLL side-loading via a legitimate but expired Canon printer assistant utility (signed by Symantec, certificate expired in 2018) which was trusted due to a valid timestamp.
* **Execution Flow:** A malicious DLL loaded by the legitimate utility decrypted and executed the final payload (`cnmplog.dat`).
* **Persistence/C2:** Deployed the PlugX Remote Access Trojan (RAT).
* **Techniques Mentioned:** DLL side-loading, use of expired but validly-timestamped binaries for signature bypass.
* **MITRE ATT&CK IDs:** Not explicitly provided in the text description.
## Targeting
* **Sectors:** Government/Diplomatic entities.
* **Geography:** European diplomats, specifically targeting personnel in Belgium, Hungary, Italy, and the Netherlands. Serbian government aviation departments were also targeted.
* **Victims:** European diplomats attending conferences related to defense and security cooperation.
## Tools & Infrastructure
* **Malware Families Used:** PlugX (a Remote Access Trojan, RAT).
* **Infrastructure:** The article does not detail specific C2 infrastructure (domains/IPs).
## Implications
* The campaign highlights the acute risk posed by zero-day or unpatched vulnerabilities in widely used operating systems (Windows) when weaponized rapidly by sophisticated state-sponsored actors.
* The use of DLL side-loading with legitimate-but-expired signed binaries demonstrates advanced tradecraft intended to evade modern endpoint security detection.
* The shift in focus towards European diplomatic targets signals an adjustment in intelligence collection priorities for this actor group.
## Mitigations
* Patching of the Windows shortcut vulnerability (ZDI-CAN-25373 / CVE-2025-9491) is paramount, although the article implies Microsoft had not yet issued a fix.
* Enhanced scrutiny of LNK files delivered via email, especially those related to current geopolitical/diplomatic events.
* Implement controls to detect and block DLL side-loading techniques, particularly concerning unsigned or older signed binaries being used as loaders.
* Review endpoint security configurations regarding trust levels for binaries with expired certificates but valid timestamps.