China-Linked Hackers Launch New Cyberattacks
Cybersecurity researchers have discovered that China-linked hackers are exploiting a serious Windows shortcut flaw to target European diplomats. These attacks occurred between September and October 2025, focusing on government and diplomatic institutions in several European countries. The campaign highlights growing concerns about cyber espionage and geopolitical intelligence gathering.
How the Attack Begins
According to a recent technical report, the hackers sent spear-phishing emails containing malicious links. These links appeared related to European Commission meetings, NATO workshops, or other diplomatic events. However, clicking them triggered a hidden infection chain leading to malicious Windows shortcut (LNK) files.
These files exploited a known vulnerability identified as CVE-2025-9491. This flaw allows attackers to execute hidden commands on victims’ computers without detection. The goal was to deploy PlugX malware, a well-known remote access trojan that enables hackers to control infected systems.
Inside the PlugX Malware
Researchers revealed that the PlugX trojan can perform several dangerous functions. It can run commands, record keystrokes, and steal files from compromised devices. Moreover, it maintains long-term access by modifying the Windows Registry and avoiding detection.
The malware hides behind a legitimate program, in this case, a Canon printer utility. When opened, it simultaneously displays a fake PDF document while secretly installing the trojan. Therefore, users often remain unaware that their systems have been compromised.
A Sophisticated Attack Chain
The UNC6384 hacking group, believed to be linked to China, used a multi-stage infection process. For example, the attack begins with an HTML Application (HTA) that loads a remote JavaScript file. This script then downloads additional malicious payloads from a cloud-based domain.
Researchers observed that the group continues to improve its tools. For instance, the malware’s size has decreased from 700 KB to only 4 KB, making it stealthier. This constant evolution suggests the hackers are refining their methods to leave fewer digital traces.
Global Espionage Connections
Experts have linked UNC6384’s activity to tactics used by another espionage group known as Mustang Panda. Both share similar tools and targets. The campaign aligns with broader intelligence goals, focusing on European defense cooperation and diplomatic coordination.
Additionally, other hacker groups have exploited the same flaw to attack Eastern European governments. This pattern suggests a widespread interest in political and defense data across the region.
Protecting Against These Threats
To prevent such attacks, users should apply system updates as soon as they are available. They should also avoid opening links or attachments from unknown senders. Organizations can deploy threat intelligence and email filtering systems to detect phishing attempts early.
Moreover, advanced endpoint protection tools can analyze unusual behavior, isolate threats, and prevent unauthorized data access. Security services offering real-time malware detection, vulnerability monitoring, and incident response can significantly reduce the risk of compromise.
Sleep well, we got you covered.
