Diplomatic entities in Belgium and Hungary hacked in China-linked spy campaign

Steven

Diplomatic entities in Belgium and Hungary hacked in China-linked spy campaign

Summary

Arctic Wolf Labs uncovered a cyber-espionage campaign attributed to UNC6384 that targeted diplomatic entities in Belgium and Hungary during September and October. Attackers used spearphishing emails themed around European Commission meetings, NATO workshops and multilateral coordination to deliver malicious files that exploited a Windows shortcut (LNK) vulnerability disclosed in March 2025. The final payload deployed PlugX, a long-standing backdoor, giving persistent access to exfiltrate documents, monitor diplomatic calendars and capture credentials. Arctic Wolf also observed related targeting in Serbia, Italy and the Netherlands and linked the campaign to tooling and infrastructure associated with Mustang Panda.

Key Points

  1. UNC6384, a China-affiliated threat actor, ran targeted spearphishing campaigns against diplomatic entities in Belgium and Hungary in Sept–Oct.
  2. Social engineering lures impersonated EU Commission, NATO and multilateral meeting agendas to entice victims to open malicious files.
  3. Attackers exploited a Windows LNK vulnerability disclosed in March 2025 to deliver the final payload.
  4. PlugX was used to establish long-term persistence, enable keylogging, upload/download files and exfiltrate sensitive diplomatic material.
  5. Other observed targets included Serbian aviation departments and diplomatic actors in Italy and the Netherlands; Belgium is particularly valuable due to NATO and EU institutions hosted there.
  6. Rapid adoption of the new exploit suggests fast development cycles by the group or possible pre-disclosure awareness of the flaw.
  7. The campaign shows overlap with Mustang Panda operations and continued evolution of PlugX to reduce forensic footprint.

Why should I read this?

If you work around diplomacy, defence or EU policy — or you just want to know how state hackers practically get in — this is a short, sharp update. Clever meeting invites + a recently disclosed Windows bug + PlugX backdoor = a durable espionage capability. Read it to spot the tactic chain and decide what to harden first.

Context and relevance

This incident underscores persistent state-linked espionage aimed at NATO and EU policy, procurement and readiness. It highlights two urgent trends: the rapid weaponisation of publicly disclosed vulnerabilities and the continuing refinement of long-used malware like PlugX to evade detection. Organisations handling diplomatic communications, defence cooperation or cross-border policy should prioritise phishing defences, patching LNK-related vulnerabilities and hunting for PlugX indicators of compromise.

Author style

Punchy — this is important. The fast uptake of the exploit and clear focus on NATO/EU targets mean the technical details are worth digging into if you care about geopolitical cyber risk.

Source

Source: https://therecord.media/belgium-hungary-diplomatic-entities-hacked-unc6384