China-Linked UNC6384 Exploits Unpatched Windows Flaw in Sophisticated Campaign Against European Diplomats

A Chinese state-sponsored threat actor has launched a calculated cyber espionage operation targeting European diplomatic entities, weaponizing a long-exploited Windows vulnerability that Microsoft has declined to patch.

Executive Summary

Between September and October 2025, the China-affiliated threat group UNC6384 executed a targeted cyber espionage campaign against diplomatic organizations across Hungary, Belgium, Italy, the Netherlands, and Serbian government agencies. The operation leveraged a critical Windows shortcut vulnerability (CVE-2025-9491, also tracked as ZDI-CAN-25373) to deliver the PlugX remote access trojan through highly sophisticated spear-phishing attacks themed around legitimate European Commission meetings and NATO workshops.

The campaign represents a significant escalation in UNC6384's operational scope, marking the group's expansion from traditional Southeast Asian targets to European diplomatic infrastructure. Security researchers at Arctic Wolf, who uncovered the operation, assess with high confidence that this activity aligns with People's Republic of China strategic intelligence requirements concerning European alliance cohesion, defense initiatives, and multilateral policy coordination.

Threat Actor Profile: UNC6384

UNC6384, identified by Google's Threat Intelligence Group, demonstrates significant tactical and tooling overlaps with the notorious Chinese APT group Mustang Panda (also tracked as TEMP.Hex, Bronze President, and Red Delta). The group has been actively conducting cyber espionage operations since at least 2012, primarily targeting government entities, non-governmental organizations, religious institutions, and diplomatic missions.

Key Characteristics:

• Primary Motivation: Intelligence gathering aligned with PRC strategic interests
• Historical Targets: Government agencies, NGOs, diplomatic entities, think tanks
• Geographic Focus: Previously Southeast Asia; now expanding to Europe
• Signature Malware: PlugX (SOGU.SEC variant), delivered via DLL side-loading
• Attack Sophistication: Rapid vulnerability adoption, refined social engineering, multi-stage infection chains

The group's rapid weaponization of CVE-2025-9491 within six months of public disclosure demonstrates exceptional operational agility and access to advanced capabilities typically associated with state-sponsored actors.

The Windows Vulnerability: CVE-2025-9491 (ZDI-CAN-25373)

At the heart of this campaign lies a deceptively simple but highly effective vulnerability in how Windows handles .LNK (shortcut) files.

Technical Details:

Vulnerability Type: User Interface Misrepresentation of Critical Information (CWE-451)

CVSS Score: 7.0-7.8 (High severity)

Attack Vector: Local execution requiring user interaction

Discovery Timeline:

• First exploited in the wild as early as 2017
• Initially identified by Zero Day Initiative (ZDI) as ZDI-CAN-25373
• Reported to Microsoft by researchers Peter Girnus and Aliakbar Zahravi in September 2024
• Publicly disclosed in March 2025
• Assigned CVE-2025-9491 in August 2025

The Exploitation Mechanism:

The vulnerability exploits the COMMAND_LINE_ARGUMENTS structure within Windows shortcut files. Attackers craft malicious .LNK files with hidden command-line arguments padded with whitespace characters (spaces, tabs, line feeds, carriage returns). When a user inspects the shortcut file through Windows Explorer or the file properties dialog, the malicious commands remain invisible due to the UI misrepresentation.

Upon execution of the compromised shortcut, Windows passes these hidden arguments to the target application, resulting in arbitrary code execution in the context of the current user. This technique effectively bypasses both user scrutiny and many traditional security mechanisms.

Microsoft's Controversial Decision:

Despite being informed of active exploitation by at least 11 state-sponsored threat groups from North Korea, Iran, Russia, and China, Microsoft determined the vulnerability "does not meet the bar for immediate servicing." The company stated they would consider addressing it in a future feature release but provided no definitive timeline.

Microsoft's rationale appears to stem from concerns about backward compatibility—patching this flaw could potentially break legacy applications that depend on the current .LNK file handling design. In lieu of a patch, Microsoft has emphasized that Defender detections are in place and Smart App Control provides additional protection by blocking malicious files from the internet.

This decision has drawn criticism from security researchers, particularly as evidence mounts showing the vulnerability's continued exploitation across numerous high-profile campaigns targeting organizations in government, financial, telecommunications, military, and energy sectors worldwide.

Attack Chain Analysis

UNC6384's operation against European diplomats represents a masterclass in multi-stage malware delivery, combining social engineering, legitimate infrastructure abuse, and advanced evasion techniques.

Stage 1: Initial Compromise - Spear-Phishing

The attack begins with carefully crafted spear-phishing emails containing embedded URLs. These emails leverage authentic diplomatic themes to establish credibility and encourage target engagement:

• European Commission meeting agendas (e.g., "Meeting 26 Sep Brussels" regarding EU-Western Balkans border crossing facilitation)
• NATO-related workshops on defense procurement and security cooperation
• Multilateral diplomatic coordination events
• European Political Community activities

The level of detail in these lures suggests the attackers possess intimate knowledge of diplomatic calendars, event themes, and the specific interests of targeted personnel. In several instances, the malicious files referenced actual scheduled meetings, lending authenticity to the social engineering component.