UNC6384 Exploits Windows Vulnerability to Target European Diplomats

UNC6384, a China-linked threat actor, has been targeting European diplomatic entities in Hungary and Belgium in a cyber-espionage campaign since September.

The group incorporated the exploitation of CVE-2025-9491, a high-severity Windows vulnerability, in its attacks, alongside what Arctic Wolf researchers are referring to as “refined social engineering.”

The researchers note that the group’s willingness to use vulnerabilities that are publicly known and have been actively exploited by multiple nation-state actors indicates that the group is confident in its success even with increased defender awareness.

The attack chain first starts with spear-phishing emails containing a URL that ultimately delivers malicious LNK files. These files are meant to imitate European Commission meetings, as well as NATO-related workshops and diplomatic events, with authentic details designed to lure targeted individuals.  

The files exploit the Windows vulnerability before executing obfuscated PowerShell commands that deploy a malware chain. This ultimately results in the deployment of PlugX remote access Trojan (RAT).

The campaign, according to Arctic Wolf researchers, is expanding across the broader diplomatic community within Europe, such as Italy and the Netherlands, as well as government agencies in Serbia. UNC6384’s previous activity involved targeting diplomats in Southeast Asia.

Related:Ribbon Communications Breach Marks Latest Telecom Attack

The group specializes in the deployment of PlugX malware variants, which the researchers consider a favorite tool among Chinese threat actors. PlugX, which was first observed in 2008, allows for a variety of a remote access capabilities, including command execution, persistence establishment, keylogging, and more. The malware is also known as Destroy RAT, SOGU, Kaba, Korplug, and TIGERPLUG and is capable of implementing anti-analysis techniques and anti-debugging checks to evade detection.

At the start of this year, the US Justice Department and the FBI concluded its efforts in deleting the PlugX malware off of thousands of devices globally. The operation targeted the work of threat groups such as Mustang Panda and Twill Typhoon, which used the malware to infect users’ devices and steal information. 

Now, as UNC6384 continues to rapidly adopt vulnerability exploits and other techniques, as well as expand globally, users and organizations will need to implement mitigation measures. To mitigate such attacks, the researchers recommend organizations, especially those in government and diplomatic sectors, review and block the command-and-control (C2) infrastructures listed in the report, conduct searches across endpoint environments, and continue security awareness training.

Related:Dentsu Subsidiary Breached, Employee Data Stolen

Should these threat actors become successful in their attacks, this could lead to long term implications such as “exfiltration of classified or sensitive documents, monitoring of real-time policy discussions and decision-making processes, collection of credentials for accessing diplomatic networks and partner systems, and surveillance of diplomatic calendars and travel plans” the researchers wrote in the report.