China-linked UNC6384 exploits Windows zero-day to spy on European diplomats

A China-linked APT group UNC6384 exploits a Windows zero-day in an active cyber espionage targeting European diplomats.

Arctic Wolf Labs researchers uncovered a cyber espionage campaign by China-linked APT UNC6384 targeting diplomatic entities in Hungary, Belgium, and other EU nations.

UNC6384 is a China-nexus actor recently detailed by Google TAG, has expanded from targeting Southeast Asian diplomats to European entities. The actor uses sophisticated chains combining social engineering, signed loaders, and memory-resident malware. It primarily deploys PlugX (SOGU.SEC), linked to Mustang Panda, sharing tactics, infrastructure, and PRC-aligned targeting patterns.

The campaign started in September and is still active, threat actors exploited a Windows shortcut flaw (ZDI-CAN-25373) via phishing emails with malicious LNKs themed around EU and NATO events, deploying PlugX RAT through DLL side-loading of legitimate Canon utilities.

ZDI-CAN-25373 (aka ZDI-25-148) vulnerability allows attackers to execute hidden malicious commands on a victim’s machine by leveraging crafted shortcut files.

In March 2025, Trend Micro researchers reported that the vulnerability has been exploited by state-sponsored APT groups from North Korea, Iran, Russia, and China. Organizations across the government, financial, telecommunications, military, and energy sectors have been affected in North America, Europe, Asia, South America, and Australia.

Arctic Wolf Labs now reports that UNC6384 swiftly weaponized the ZDI-CAN-25373 Windows vulnerability, integrating it into operations within six months of its March 2025 disclosure.

The attack chain described by Arctic Wolf Labs has three stages. Attackers exploit ZDI-CAN-25373 via a weaponized LNK. The LNK launches an obfuscated PowerShell that drops and extracts a tar archive (rjnlzlkfe.ta) to %AppData%\Local\Temp, executes cnmpaui.exe and displays a decoy PDF (EU meeting agenda).

The tar contains a signed Canon utility (cnmpaui.exe), a malicious loader DLL (cnmpaui.dll) and an encrypted blob (cnmplog.dat). The attacker abuses DLL side-loading: the legitimate PE (signed by Symantec, cert valid 2015–2018 with timestamp) loads the planted cnmpaui.dll, which decrypts the RC4-encrypted cnmplog.dat using a hardcoded 16-byte key and maps the PlugX payload into the signed process memory. This in-memory execution via DLL side-loading and encrypted payloads enables stealthy PlugX deployment and evasion of reputation-based defenses.

The researchers reported that CanonStager loaders evolved from complex TLS/TLS-based designs to compact 4KB variants, reducing forensic footprint.

“C2 infrastructure includes racineupci[.]org, dorareco[.]net, naturadeco[.]net, and additional domains.” reads the report published by Artic. “The CanonStager loader evolved from approximately 700KB to 4KB in size between September and October 2025, indicating active development.”

Delivery also occurred via HTA/CloudFront JavaScript. Targets included diplomatic entities across Hungary, Belgium, Serbia, Italy and the Netherlands using EU/NATO-themed decoys. Attackers used a distributed Infrastructure relying on legitimate-looking domains and HTTPS to hinder takedown and detection.

The researchers attribute the campaign with high confidence to UNC6384. The compromises of European diplomatic entities carry serious national security risks, enabling sustained intelligence collection, strategic advantage, and potential influence operations.

“Infrastructure analysis and malware sample pivoting conducted by Arctic Wolf Labs and recently documented by StrikeReady researchers indicates this campaign extends beyond Hungarian and Belgian diplomatic targeting to encompass broader European diplomatic entities, including Serbian government agencies, Italian diplomatic entities, Netherlands diplomatic organizations, and likely additional targets not yet identified through available telemetry.” concludes the report. “The breadth of targeting across multiple European nations within a condensed timeframe suggests either a large-scale coordinated intelligence collection operation or deployment of multiple parallel operational teams with shared tooling but independent targeting. “

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, UNC6384)