A newly uncovered cyber espionage campaign, attributed to a China-linked hacking group known as UNC6384, has penetrated diplomatic networks across Europe. Leveraging a recently disclosed Windows vulnerability and signed Canon software, the operation marks one of the most sophisticated deployments of the PlugX malware family to date, combining stealth, legitimacy, and geopolitical precision.
A New Front in Digital Espionage
Researchers from Arctic Wolf Labs have revealed a far-reaching cyber campaign targeting European diplomatic entities in Hungary, Belgium, Serbia, Italy, and the Netherlands. The operation, attributed to the Chinese state-aligned group UNC6384, used EU- and NATO-themed phishing lures to breach embassies and government agencies.
UNC6384, previously linked to attacks on Southeast Asian diplomats, has expanded its scope westward. Analysts describe it as part of a broader evolution of China-nexus cyber operations — blending social engineering, legitimate code-signing, and memory-resident malware into campaigns optimized for stealth and endurance. The attackers relied on “distributed infrastructure” hosted on legitimate-looking domains and encrypted HTTPS channels to obscure their command-and-control (C2) networks.
Exploiting a Known Weakness
The hackers exploited ZDI-CAN-25373, a Windows shortcut (LNK) vulnerability disclosed in March 2025, which allows remote execution of malicious commands through crafted shortcut files. Within six months of the flaw’s discovery, UNC6384 weaponized it for espionage.
According to Arctic Wolf Labs, victims received phishing emails bearing fake EU or NATO meeting invitations. Once opened, the LNK triggered an obfuscated PowerShell script that downloaded a compressed archive disguised as a Canon software package. Inside was a signed Canon executable (cnmpaui.exe), a malicious DLL loader (cnmpaui.dll), and an encrypted PlugX payload (cnmplog.dat).
The attackers abused DLL side-loading — a legitimate process — to stealthily load PlugX into system memory. The legitimate Canon utility, signed by Symantec between 2015 and 2018, decrypted the hidden payload with a hardcoded key. This technique allowed PlugX to run in memory, bypassing traditional antivirus and reputation-based defenses.
Shrinking Malware, Expanding Reach
A separate analysis by StrikeReady and Artic researchers found that the group’s CanonStager loader had evolved from a 700KB binary to a compact 4KB variant between September and October 2025. This drastic reduction in size, researchers noted, minimized its forensic footprint and enabled faster deployment across multiple systems.
The malware’s C2 servers — hosted on domains like racineupci[.]org and dorareco[.]net — underscored active development and distributed control. Delivery was carried out via HTA and CloudFront-based JavaScript, making detection and takedown challenging even for advanced European cybersecurity centers.
Analysts warned that the operation’s breadth — cutting across Hungarian, Belgian, Serbian, Italian, and Dutch diplomatic entities — indicated not just isolated espionage but a coordinated intelligence-gathering effort. Evidence suggested that multiple parallel teams may have been operating under a unified command structure or shared toolkit.
Implications for European Security
Cybersecurity experts say the UNC6384 campaign exposes the vulnerabilities of Europe’s diplomatic infrastructure at a time of heightened geopolitical tension. Diplomatic cables, classified exchanges, and policy communications remain prime targets for intelligence agencies — and when compromised, can yield immense strategic insight.
The researchers emphasize that this campaign, likely run by operators aligned with China’s Mustang Panda cluster, represents a fusion of tradecraft and timing — exploiting a newly public flaw before defenses could adapt.
“The breadth of targeting across multiple European nations in a condensed timeframe suggests a large-scale coordinated intelligence collection operation,” Arctic Wolf Labs noted.
