The Chinese cyber threat UNC6384 was already known to target diplomats in Southeast Asia. Now it appears that the group is also interested in European countries. For two months, UNC6384 attacked Dutch, Belgian, Italian, Hungarian, and Serbian targets. Compromises were made via a Windows vulnerability that has been known for some time.
The vulnerability exploited is ZDI-CAN-25373. We wrote about it in March, when it became clear that Microsoft was not going to do anything about it. A Trend Micro researcher stated at the time that a solution would be “incredibly difficult.” It involves sending malicious .lnk files, shortcuts that contain commands to download malware. Once again, a cyber attacker, namely UNC6384, appears to be exploiting this problem.
The campaign by the Chinese attacker, also known as “Mustang Panda,” began with spearphishing emails that reached executives in diplomatic services. These emails contained the malicious .lnk files, packaged as invitations to European Commission meetings and NATO workshops. Using hidden PowerShell commands, they loaded the PlugX remote access trojan (RAT).
The attack chain contains more layers than that. After executing the .lnk file, a tar archive is decrypted containing a legitimate Canon tool, including a valid digital signature. This is abused via DLL side-loading to execute malicious code. The RC4-encrypted PlugX file then runs in memory within the trusted Canon process.
Targets and motives
The campaign shows a tactical evolution of UNC6384, Arctic Wolf Labs notes. Whereas the group was previously active in Southeast Asia, it is now focusing on Europe. Hungary and Belgium are confirmed targets, but Serbia, Italy, and the Netherlands have also been targeted. The themes of the lures are telling: border control between the EU and the Western Balkans, defense procurement, and diplomatic coordination.
Google’s Threat Intelligence Group tracked down UNC6384/Mustang Panda this summer. UNC6384 and Mustang Panda appear to be the same group. In any case, they share targeting profiles, infrastructure, and the use of PlugX malware. The rapid adoption of a recently discovered vulnerability demonstrates their ability to quickly integrate new exploits.
Malware development at breakneck speed
Arctic Wolf Labs saw remarkable changes in the CanonStager loader. Between September and October, it shrunk from approximately 700KB to just 4KB. The latest version eliminates complexity and uses standard C runtime libraries instead of the D programming language from earlier samples. This suggests active development in response to detections. This is common among advanced cyber attackers: they know they need to adapt their attack formula to stay ahead of defenders.
The PlugX malware itself contains extensive anti-analysis measures. Control-flow flattening, runtime string decryption, and multiple anti-debugging checks make reverse engineering difficult. The malware communicates with C2 infrastructure via HTTPS on port 443, with parameters generated randomly to frustrate network detection.
Infrastructure
The attackers use multiple domains such as racineupci[.]org and dorareco[.]net. These are registered through different providers and geographic regions. Names mimic legitimate organizations, and all domains use valid Let’s Encrypt certificates. PlugX creates hidden folders with names such as “SamsungDriver” or “IntelNet” and ensures persistence via the Windows Registry Run key.
The malware collects extensive telemetry via 50 sensors and sends it to command-and-control servers. Initial check-in requests contain epoch timestamps and encrypted parameters, presumably for victim fingerprinting. The configuration shows mutexes, decoy PDF names, and multiple failover C2 options.
Mitigation measures
Since there is no official patch for ZDI-CAN-25373, organizations should disable the automatic resolution of .lnk files. This was already the advice when the exploit became known in April. Furthermore, blocking the identified C2 domains is essential. Endpoints should be scanned for Canon printer utilities in unusual locations, especially accompanied by DLL and DAT files.
Arctic Wolf emphasizes the importance of proactive threat hunting. The extended operational timeline of state-sponsored campaigns requires thorough checks for compromises, including in the past. Security awareness training (or, nowadays, often human risk management) remains crucial, with a focus on recognizing spearphishing attempts that use ordinary-looking meeting invitations as bait.