New Delhi, Nov 2 (NationPress) A hacking group associated with China, known as UNC6384, has been identified as responsible for a recent wave of cyberattacks on European diplomatic and governmental entities, as reported by cybersecurity firm Arctic Wolf.

The cyber intrusions occurred between September and October 2025, utilizing an unaddressed vulnerability in Windows shortcuts (LNK) that was highlighted by The Hacker News.

Victims include diplomatic missions in Hungary, Belgium, Italy, and the Netherlands, along with government bodies in Serbia.

According to Arctic Wolf, the attackers employed spear-phishing emails containing links that seemed to reference meetings of the European Commission, NATO workshops, and events for diplomatic coordination.

When users clicked on these links, they were redirected to malicious LNK files meant to exploit the Windows vulnerability tracked as CVE-2025-9491, which has a CVSS score of 7.0.

Upon execution, these files initiated a sophisticated attack sequence that culminated in the deployment of PlugX malware, also referred to as Destroy RAT, Korplug, and SOGU.

This malware grants hackers the ability to take control of infected devices, log keystrokes, transfer files, and extract sensitive information from compromised systems.

Researchers clarified that the LNK files activate a PowerShell command which extracts a concealed archive containing three files: a legitimate Canon printer utility, a harmful DLL file named CanonStager, and an encrypted PlugX payload.

The hackers employ a technique known as DLL side-loading to disguise the malware as a benign application.

The CanonStager malware has shown rapid evolution, with its file size decreasing from 700 KB in early September to a mere 4 KB by October 2025, indicating that the hackers are striving to make it more compact, stealthy, and difficult to detect.

In certain instances, attackers have also utilized HTML Application (HTA) files that fetched external JavaScript from cloudfront[.]net domains to deploy the malware.

This demonstrates that UNC6384 remains committed to refining its tactics to circumvent security measures.

Cybersecurity analysts have also linked UNC6384 to another China-based hacking entity known as Mustang Panda, which is recognized for targeting governmental and diplomatic organizations in both Europe and Asia.

This group has been observed using memory-resident variants of PlugX, referred to as SOGU.SEC.

Experts assert that this campaign aligns with China's objectives of intelligence gathering, particularly to surveil European defense collaborations, policy formulation, and alliance fortitude.

Microsoft has confirmed that its Defender antivirus can identify and neutralize this type of cyber threat, while Smart App Control provides an additional layer of security by blocking harmful files downloaded from the web.

According to Arctic Wolf, the ongoing targeting of European diplomatic establishments underscores China's escalating focus on cyber espionage aimed at understanding the dynamics of European alliances and defense strategies.