A Chinese state-sponsored threat group, known as UNC6384 or Mustang Panda, is actively using a Windows zero-day vulnerability to spy on European diplomatic entities. The attacks begin with spear-phishing emails containing malicious LNK files that are disguised as invitations to NATO and European Commission meetings. These files exploit a high-severity flaw, CVE-2025-9491, to deploy the PlugX remote access trojan, enabling persistent surveillance and data theft.
Initially focused on Hungarian and Belgian diplomatic targets, the campaign has expanded to include government agencies in Serbia, Italy, and the Netherlands. The vulnerability allows attackers to execute arbitrary code by hiding malicious commands within LNK shortcut files, requiring only that a user opens the deceptive file. Despite being widely exploited by multiple state-sponsored and cybercrime groups since March 2025, Microsoft has not yet released a security patch, stating the issue did not meet its immediate servicing criteria.
In the absence of an official fix, security researchers recommend that organizations restrict the use of Windows LNK files and block connections to the known command-and-control infrastructure. This ongoing espionage campaign underscores the significant risk posed by unpatched vulnerabilities in critical government and diplomatic systems. The situation highlights the continued targeting of European diplomatic circles by advanced persistent threats.
Read more...