A Chinese threat actor has been exploiting an unpatched Windows shortcut vulnerability in fresh attacks targeting the diplomatic community in Europe, Arctic Wolf reports.
The exploited flaw, tracked as CVE-2025-9491 (CVSS score of 7.0), is described as a UI misrepresentation issue, as Windows fails to show critical information (which can provide evidence of malicious activity) when the user inspects the file’s properties.
The attacks seen by Arctic Wolf involve the distribution of LNK files designed to execute malicious code when opened by the victim. CVE-2025-9491 is exploited to make the malicious code invisible to a user who may look at the file’s properties.
Trend Micro’s Zero Day Initiative (ZDI) reported the issue to Microsoft in September 2024. Microsoft has not released patches for the security defect, notifying ZDI that the issue does not meet the bar for servicing. In line with its disclosure policy, ZDI released information on the vulnerability in March this year.
ZDI warned at the time that 11 state-sponsored APT groups from North Korea, Russia, China, and Iran have been abusing specially crafted LNK files in attacks targeting defense, energy, financial, government, military, telecoms, think tank, and private organizations.
Microsoft told SecurityWeek that users rarely inspect a file’s properties to look for malicious code and Microsoft Defender is capable of detecting the use of this technique in LNK files.
The tech giant also noted that attempting to open such a file that was downloaded from the internet automatically triggers a security warning, and said users should exercise caution when opening files fetched from the internet or received from untrusted sources.
Now, Arctic Wolf says that UNC6384, a Chinese threat actor linked to the Mustang Panda APT, which is also tracked as Basin, Bronze President, Earth Preta, Red Delta, Temp.Hex, and Twill Typhoon, has been exploiting CVE-2025-9491 in attacks since September 2025.
The hacking group has been targeting European diplomats with spear-phishing emails containing an embedded URL that initiates an infection chain leading to the delivery of the PlugX remote access trojan (RAT).
At one stage in the infection chain, “malicious LNK files themed around European Commission meetings, NATO-related workshops, and multilateral diplomatic coordination events” are dropped to exploit the unpatched vulnerability.
The exploit allows UNC6384 to execute PowerShell commands, drop a signed Canon printer utility, and abuse it to execute PlugX via DLL sideloading.
“Arctic Wolf Labs assesses with high confidence that this campaign is attributable to UNC6384. This attribution is based on multiple converging lines of evidence including malware tooling, tactical procedures, targeting alignment, and infrastructure overlaps with previously documented UNC6384 operations,” the cybersecurity firm notes.
In September and October, Arctic Wolf observed UNC6384 exploiting the bug in attacks aimed at Hungarian and Belgian diplomatic personnel. Additionally, the company linked the campaign with the targeting of Serbian government aviation departments and diplomatic entities in Italy and the Netherlands.
“We appreciate the work of the research community in sharing their findings. Microsoft Defender has detections in place to identify and block this threat activity, and Smart App Control provides an additional layer of protection by blocking malicious files from the Internet. As a security best practice, we strongly encourage customers to heed security warnings and avoid opening files from unknown sources,” a Microsoft spokesperson said, responding to a SecurityWeek inquiry.
*Updated with statement from Microsoft
Related: Chinese APT ‘Phantom Taurus’ Targeting Organizations With Net-Star Malware
Related: Chinese Cyberspies Hacked US Defense Contractors
Related: Chinese Hackers Lurked Nearly 400 Days in Networks With Stealthy BrickStorm Malware
Related: Details Emerge on Chinese Hacking Operation Impersonating US Lawmaker
