Suspected Chinese snoops weaponize unpatched Windows flaw to spy on European diplomats
Summary
Cyber espionage group UNC6384 (also known as Mustang Panda / Twill Typhoon) exploited an unpatched Windows shortcut vulnerability disclosed in March (ZDI-CAN-25373 / CVE-2025-9491) to target European diplomats. Using highly tailored phishing lures tied to real diplomatic events, attackers delivered malicious .lnk files that launched a three-stage chain culminating in the PlugX backdoor via DLL sideloading and an apparently legitimately signed, expired Canon binary timestamped to bypass protections.
Key Points
- UNC6384 focused attacks on diplomats in Belgium, Hungary, Italy, the Netherlands, and Serbian aviation departments in Sept–Oct 2025.
- Phishing emails used authentic-looking conference agendas as decoys and a weaponised LNK file exploiting CVE-2025-9491.
- The exploit abused whitespace in the LNK COMMAND_LINE_ARGUMENTS to execute PowerShell and extract a tar archive with three payload files.
- Attackers used an expired but timestamped Canon utility binary (signed by Symantec) to DLL sideload a malicious loader that decrypted the PlugX payload.
- PlugX provides long-term remote access capabilities: command execution, data exfiltration, persistence and further payload deployment.
- Microsoft has not yet fixed the disclosed vulnerability; the campaign shows rapid adoption by a state-linked actor within six months of disclosure.
Content Summary
Arctic Wolf Labs analysed the campaign and linked it to UNC6384, a suspected PRC-backed threat actor previously observed targeting diplomats in Southeast Asia. The chain begins with tailored phishing and a decoy PDF of a real EU meeting agenda. The LNK file runs PowerShell to unpack a tar archive containing an expired, timestamped legitimate Canon helper binary, a malicious DLL loader and an encrypted PlugX payload (cnmplog.dat). The loader uses DLL sideloading to run PlugX inside a trusted process, reducing detection by endpoint defences.
Context and Relevance
This incident sits at the intersection of classic social engineering and weaponised, long-known Windows shortcut bugs. ZDI-CAN-25373 has been abused historically by multiple state-backed groups; its exploitation here underlines how unpatched, public disclosures can be turned into active espionage quickly. The use of timestamped signed binaries to evade detection is a notable tactic that defenders must consider when hunting for intrusions.
Why should I read this
Because this is exactly the sort of sneaky, targeted trick that gets smart people at conferences owned. If you manage diplomatic, defence or government-facing endpoints (or advise people who do), this story tells you the exploit, the lure themes, and the evasion playbook — so you can stop panicking and start patching, training and hunting.