Between September and October 2025, the threat actor group UNC6384 launched attacks using a Windows shortcut (LNK) vulnerability to target European diplomatic and government entities. The primary targets included diplomatic organizations in Hungary, Belgium, Italy, and the Netherlands, as well as government agencies in Serbia.
Attack Techniques and Targets
The campaign began with spear-phishing emails embedding URLs that led to malicious LNK files. These files, themed around European diplomatic meetings and workshops, exploited the vulnerability identified as ZDI-CAN-25373. The targeted entities are heavily involved in defense cooperation and policy coordination. The malicious LNK files trigger a chain that ends with DLL sideloading to deploy the PlugX malware. Google Threat Intelligence Group noted some overlap between UNC6384 and Mustang Panda.
The attack utilized LNKs to initiate a PowerShell command, which decoded and extracted a TAR archive, presenting a decoy PDF. The archive included a legitimate utility and a malicious DLL, CanonStager, which sideloads an encrypted PlugX payload. This payload provides remote access capabilities, supporting operations such as command execution and file manipulation.
Development and Mitigation
Arctic Wolf reported that artifacts related to CanonStager were reduced in size from approximately 700 KB to 4 KB during this period, suggesting ongoing development aimed at reducing forensic footprints. Additional tactics included the use of HTA files to load JavaScript from cloudfront.net domains. Microsoft noted Defender and Smart AppControl protections can mitigate risks associated with such malicious files.
The initial report of the LNK vulnerability was made by Peter Girnus and Aliakbar Zahravi in March 2025. The strategic focus of the attacks aligns with China’s intelligence requirements, specifically around European alliance and policy cohesion.
