A China-affiliated cyber threat actor, identified as UNC6348, has been linked to a recent series of attacks targeting European diplomatic and government entities. Between September and October 2025, the group exploited an unpatched Windows shortcut vulnerability to gain access to sensitive systems, according to a new report by Arctic Wolf.
The cybersecurity firm detailed that the malicious campaign specifically targeted diplomatic organizations in Hungary, Belgium, Italy, and the Netherlands, as well as government agencies in Serbia. The attack chain was initiated through spear-phishing emails containing embedded URLs, which served as the first step in a multi-stage process leading to the delivery of malicious LNK files. These files were disguised with themes related to high-profile European diplomatic events, such as Commission meetings, NATO workshops, and multilateral coordination forums.
UNC6348 Leverages Windows Shortcut Flaw for Espionage
The core of UNC6348’s recent activity revolves around the exploitation of a vulnerability officially tracked as CVE-2025-9491, a weakness in how Windows handles shortcut files. This flaw, with a CVSS score of 7.0, allows for the execution of hidden malicious commands on a victim’s computer. The existence of this bug was first brought to light by security researchers Peter Girnus and Aliakbar Zahravi in March 2025, and has since been observed in attacks by various threat actors, dating back to 2017.
Arctic Wolf’s analysis indicates that the LNK files, once opened, trigger a PowerShell command to decode and extract the contents of a TAR archive. Simultaneously, a decoy PDF document is presented to the user to mask the malicious activity. The archive contained three key components: a legitimate Canon printer utility, a malicious DLL named CanonStager designed for DLL side-loading, and an encrypted PlugX malware payload, identified as “cnmplog.dat.”
This PlugX malware, also known by aliases such as Destroy RAT, Kaba, Korplug, SOGU, and TIGERPLUG, provides comprehensive remote access capabilities. These include command execution, keylogging, file transfer operations, persistence establishment, and detailed system reconnaissance. Its modular design allows operators to expand its functionality with plugins tailored to specific espionage objectives.
The report from Arctic Wolf also noted a trend in the evolution of the CanonStager artifacts observed in the September and October 2025 attacks. The size of these files has steadily decreased from approximately 700 KB to just 4 KB, suggesting active development and optimization into a more stealthy tool with a reduced forensic footprint.
Broader Threat Landscape and Evolving Tactics
Google Threat Intelligence Group (GTIG) had previously analyzed UNC6348, noting tactical and tooling overlaps with the hacking group Mustang Panda. GTIG also reported that UNC6348 has been observed deploying a memory-resident variant of PlugX known as SOGU.SEC.
In an earlier phase of this campaign, observed in early September 2025, UNC6348 was seen leveraging HTML Application (HTA) files. These HTA files were used to load external JavaScript, which in turn fetched malicious payloads from a Cloudfront.net subdomain. This indicates a refinement of their malware delivery mechanisms to further obscure their activities.
The focus on European diplomatic entities involved in defense cooperation, cross-border policy coordination, and multilateral diplomatic frameworks aligns with what Arctic Wolf describes as “PRC strategic intelligence requirements concerning European alliance cohesion, defense initiatives, and policy coordination mechanisms.” This suggests a broader geopolitical motivation behind these cyber espionage operations.
Microsoft had previously stated that Microsoft Defender possesses detections to identify and block this type of threat activity. Additionally, Smart App Control offers an extra layer of protection by preventing the execution of malicious files downloaded from the internet. However, the ongoing exploitation of known vulnerabilities by sophisticated actors like UNC6348 highlights the continuous need for organizations to maintain up-to-date patching and robust cybersecurity defenses.
The continued targeting of European diplomatic entities by UNC6348 suggests that these organizations remain a priority for the actor. Future observations will likely focus on any further evolution in their tactics, techniques, and procedures, as well as the potential emergence of new exploitation vectors or malware variants. The sustained interest in these targets indicates a long-term intelligence-gathering objective.