China-Linked Hackers Exploit Windows Shortcut Flaw to Target European Diplomats

China-Linked Hackers Exploit Windows Shortcut Flaw to Target European Diplomats

This report details a sophisticated cyberattack campaign attributed to the China-linked threat actor UNC6384, which exploited a critical vulnerability in Windows shortcut (.LNK) files to target European diplomatic and government entities between September and October 2025. The attack leveraged a combination of spear-phishing, malware delivery, and exploitation of unpatched software to infiltrate high-value targets.

---

Key Attack Details

• Targeted Entities:
  • Diplomatic organizations in Hungary, Belgium, Italy, and the Netherlands.
  • Government agencies in Serbia.
• Attack Vector:
  • Spear-phishing emails with embedded URLs and malicious attachments themed around European Commission meetings, NATO workshops, and multilateral diplomatic events.
  • LNK files (Windows shortcuts) designed to exploit ZDI-CAN-25373 (CVE-2025-9491), a vulnerability with a CVSS score of 7.0.
• Exploitation Technique:
  • The LNK file triggers a PowerShell command to decode and extract a TAR archive containing:
    • A legitimate Canon printer utility (used as a decoy).
    • A malicious DLL (CanonStager) for DLL side-loading.
    • An encrypted PlugX payload (cnmplog.dat) for remote access.
  • The attack uses HTML Application (HTA) files to load external JavaScript and retrieve payloads from cloudfront[.]net subdomains.

---

Malware and Tools Used

• PlugX Malware:

  • A remote access trojan (RAT) with aliases: Destroy RAT, Kaba, Korplug, SOGU, TIGERPLUG.
  • Features:
    • Remote access capabilities: Command execution, keylogging, file transfers, persistence, and system reconnaissance.
    • Modular architecture for plugin-based functionality.
    • Anti-analysis techniques: Anti-debugging checks to evade detection.
    • Persistence: Achieved via Windows Registry modifications.
  • Variants:
    • SOGU.SEC, a memory-resident variant analyzed by Google Threat Intelligence Group (GTIG).
    • XDigo, a Go-based malware used by XDSpy in earlier attacks targeting Eastern Europe.

• CanonStager:

  • A malicious DLL used for DLL side-loading.
  • Size reduced from 700 KB to 4 KB (September–October 2025), indicating refinement to minimize forensic traces.

---

Vulnerability and Mitigation

• CVE-2025-9491 (ZDI-CAN-25373):
  • Reported: March 2025 by researchers Peter Girnus and Aliakbar Zahravi.
  • Exploitation History: Used by XDSpy in March 2025 for XDigo malware delivery.
  • Microsoft Response:
    • Microsoft Defender includes detections for this exploit.
    • Smart App Control blocks malicious files from the internet.

---

Strategic Motivations and Implications

• Target Alignment:
  • Focus on entities involved in defense cooperation, cross-border policy coordination, and multilateral frameworks.
  • Aligns with PRC strategic intelligence goals to monitor European alliance cohesion and defense initiatives.
• Operational Sophistication:
  • Use of multi-stage attack chains, decoy files, and anti-analysis techniques indicates a high level of operational maturity.
  • Leveraging trusted brands (e.g., Canon) to bypass user suspicion.

---

Recommendations for Defense

• Update Systems: Apply patches for CVE-2025-9491 (if available) and ensure Microsoft Defender and Smart App Control are enabled.
• User Awareness: Train users to recognize spear-phishing attempts and avoid opening suspicious attachments.
• Network Monitoring: Detect unusual PowerShell activity, HTA file execution, or connections to cloudfront[.]net.
• Endpoint Protection: Use tools that detect DLL side-loading and registry modifications.

---

Reference: The Hacker News Article