Full Report
A China-linked hacking group is exploiting a Windows zero-day in attacks targeting European diplomats in Hungary, Belgium, and other European nations. [...]
Analysis Summary
# Threat Actor: UNC6384 (Mustang Panda)
## Attribution & Identity
* **Attribution:** China-linked state-backed cyber espionage threat actor.
* **Known Aliases and Associated Groups:** UNC6384, Mustang Panda.
* **Associations:** Mentioned alongside other state-sponsored groups leveraging CVE-2025-9491, including Evil Corp, APT43 (Kimsuky), Bitter, APT37, SideWinder, RedHotel, and Konni.
## Activity Summary
This actor is actively exploiting a high-severity Windows zero-day vulnerability (CVE-2025-9491) against diplomatic entities in Europe. The campaign involves spearphishing emails designed to deliver malicious LNK files disguised as diplomatic or defense-related documents (e.g., NATO defense procurement workshops, European Commission border facilitation meetings). The objective is cyber-espionage, monitoring communications, and stealing sensitive data.
## Tactics, Techniques & Procedures
* **Initial Access:** Spearphishing emails delivering malicious `.LNK` files.
* **Exploitation:** Exploiting Windows LNK vulnerability (CVE-2025-9491) to achieve remote code execution.
* **Specific TTP:** Hiding malicious command-line arguments within the `COMMAND_LINE_ARGUMENTS` structure of `.LNK` files using padded whitespaces to evade detection.
* **Execution & Persistence:** Deployment of the PlugX Remote Access Trojan (RAT) for system compromise and persistence.
* **Objective:** Cyber-espionage and data theft.
* **MITRE ATT&CK IDs:** Not explicitly mentioned, but the behavior points toward Execution (T1204.002), Command and Control, and Exfiltration.
## Targeting
* **Sectors:** Diplomatic entities, Government agencies.
* **Geography:** European nations, specifically mentioning initial focus on Hungary and Belgium, later expanding to include organizations in Serbia, Italy, and the Netherlands.
* **Victims:** European diplomats, Serbian government agencies, and diplomatic entities from Italy and the Netherlands.
## Tools & Infrastructure
* **Malware Families Used:** PlugX (RAT).
* **Other Payloads/Loaders (mentioned in context of the zero-day, but potentially used by UNC6384):** Ursnif, Gh0st RAT, Trickbot.
* **Infrastructure:** C2 infrastructure identified by Arctic Wolf Labs (specific details defanged/omitted as per instructions).
## Implications
The active exploitation of a zero-day vulnerability (CVE-2025-9491) against high-value diplomatic targets indicates sophisticated, well-resourced espionage operations aligned with Chinese strategic interests. The dependency on an unpatched critical vulnerability highlights the immediate risk faced by vulnerable endpoints lacking security updates, complicating defensive posture significantly for diplomatic networks.
## Mitigations
* Restrict or block the use of Windows `.LNK` files where possible.
* Block connections to C2 infrastructure identified by Arctic Wolf Labs.
* Implement enhanced monitoring for endpoint activity indicative of PlugX RAT execution or persistence mechanisms.