Executive Summary

A highly sophisticated cyber-espionage campaign orchestrated by the Chinese-affiliated threat group UNC6384 has been observed targeting European diplomatic entities. The campaign leverages a recently disclosed Windows shortcut vulnerability, ZDI-CAN-25373 (now tracked as CVE-2025-9491), to deliver the notorious PlugX remote access trojan (RAT) through advanced spearphishing and social engineering tactics. The operation demonstrates rapid vulnerability weaponization, advanced evasion techniques, and a clear focus on intelligence collection aligned with the strategic interests of the People’s Republic of China. The attack chain exploits the Windows LNK file format to bypass user scrutiny and endpoint defenses, ultimately achieving persistent, covert access to high-value diplomatic networks.

Threat Actor Profile

UNC6384 is a Chinese-nexus advanced persistent threat (APT) group with significant overlaps with the well-known Mustang Panda (also tracked as TEMP.Hex). The group is characterized by its rapid adoption of zero-day and n-day vulnerabilities, use of sophisticated malware such as PlugX, and a focus on intelligence gathering from government, diplomatic, and policy organizations. UNC6384 is known for its operational agility, leveraging legitimate software for DLL side-loading, and employing advanced anti-analysis and evasion techniques. The group’s infrastructure and malware development practices indicate a high degree of technical capability and access to custom toolchains, with a clear alignment to Chinese state interests.

Technical Analysis of Malware/TTPs

The attack begins with a spearphishing email, often themed around real diplomatic events such as European Commission meetings or NATO summits. The email contains a malicious .LNK (shortcut) file exploiting CVE-2025-9491. This vulnerability allows the attacker to craft LNK files with manipulated whitespace in the COMMAND_LINE_ARGUMENTS structure, making malicious content invisible to users inspecting the file via the Windows UI. When the victim opens the LNK file, obfuscated PowerShell code is executed, which decodes and extracts a tar archive containing three key components: a legitimate, signed Canon printer assistant utility (cnmpaui.exe), a malicious DLL (cnmpaui.dll), and an encrypted PlugX payload (cnmplog.dat). A decoy PDF is displayed to the victim to mask malicious activity.

The DLL side-loading technique is central to the attack: the legitimate Canon binary loads the malicious DLL, which in turn decrypts and injects the PlugX RAT into memory. Persistence is achieved by creating a registry Run key (Software\Microsoft\Windows\CurrentVersion\Run\CanonPrinter) that points to the malware, typically hidden in directories such as AppData\Roaming\SamsungDriver\cnmpaui.exe. The PlugX RAT establishes command and control (C2) over HTTPS (port 443), communicating with domains such as racineupci[.]org, dorareco[.]net, and others. The malware is highly modular, supporting full remote access, keylogging, file exfiltration, system reconnaissance, and plugin-based extensibility. Advanced anti-analysis features include control-flow flattening, API hashing, runtime string decryption, and anti-debugging routines.

Exploitation in the Wild

The campaign has been observed targeting diplomatic entities in Hungary, Belgium, Serbia, Italy, and the Netherlands, with a broader focus on the European diplomatic community. The attackers use highly realistic lures, such as invitations to diplomatic events and meeting agendas, to increase the likelihood of successful compromise. The use of PlugX enables persistent access, data exfiltration, and ongoing intelligence collection. Notably, UNC6384 weaponized CVE-2025-9491 within six months of its public disclosure, underscoring the group’s agility and technical sophistication. The campaign’s infrastructure leverages both compromised and attacker-controlled domains, as well as cloud-based delivery mechanisms, to evade detection and maximize operational resilience.

Victimology and Targeting

The primary victims are European diplomatic and governmental organizations, with confirmed incidents in Hungary and Belgium and evidence of targeting in Serbia, Italy, and the Netherlands. The selection of targets aligns with Chinese strategic interests in European political and diplomatic affairs. The attackers demonstrate a nuanced understanding of their targets, crafting spearphishing lures that reference real-world events and using language and formatting consistent with legitimate diplomatic communications. The campaign’s focus on high-value diplomatic entities suggests a clear intent to collect sensitive political, economic, and strategic intelligence.

Mitigation and Countermeasures

Organizations are strongly advised to implement a multi-layered defense strategy to mitigate the risk posed by this campaign. First, block and monitor all known C2 domains and delivery infrastructure associated with UNC6384 and PlugX, including racineupci[.]org, dorareco[.]net, naturadeco[.]net, cseconline[.]org, vnptgroup[.]it.com, and paquimetro[.]net, as well as cloud delivery endpoints such as mydownload.z29[.]web.core.windows[.]net and d32tpl7xt7175h[.]cloudfront[.]net. Conduct threat hunting for the presence of Canon printer binaries in unusual locations, especially when accompanied by cnmpaui.dll and cnmplog.dat. Disable automatic resolution of .LNK files in Windows Explorer for users with access to sensitive data, and educate users on the risks associated with opening unsolicited shortcut files.

Security teams should search for the creation of the registry key Software\Microsoft\Windows\CurrentVersion\Run\CanonPrinter, the presence of suspicious directories such as AppData\Roaming\SamsungDriver, and mutexes like uUbAmgDu and esUdgquBv. Monitor outbound traffic for the specific User-Agent string used by PlugX (Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 10.0; ...)). If any indicators of compromise are detected, immediately isolate affected systems and perform comprehensive forensic analysis to identify and eradicate PlugX and related artifacts.

Patch all Windows systems promptly, prioritizing updates that address CVE-2025-9491 and related LNK file vulnerabilities. Employ endpoint detection and response (EDR) solutions capable of detecting DLL side-loading, PowerShell abuse, and in-memory malware injection. Leverage YARA rules, such as the one provided by Arctic Wolf Labs, to detect PlugX variants associated with this campaign.

References

• Arctic Wolf Labs: UNC6384 Weaponizes ZDI-CAN-25373

• NVD: CVE-2025-9491

• Zero Day Initiative: ZDI-25-148

• Security Affairs: China-linked UNC6384 exploits Windows zero-day

• MITRE ATT&CK Framework

About Rescana

Rescana empowers organizations to proactively manage third-party cyber risk with a comprehensive TPRM platform that delivers continuous monitoring, actionable intelligence, and automated risk assessment. Our platform enables security teams to identify, prioritize, and mitigate threats across their extended supply chain, ensuring resilience against advanced adversaries and emerging vulnerabilities.

For further information or assistance, we are happy to answer questions at ops@rescana.com.