Chinese APT UNC6384 Pivots to Europe, Exploits Windows LNK Flaw to Deploy PlugX via Canon DLL Sideloading

Researchers at Arctic Wolf Labs have uncovered an extensive cyber espionage campaign by UNC6384, a Chinese-affiliated threat actor, targeting European diplomatic entities across Hungary, Belgium, and other EU nations. The campaign, active between September and October 2025, demonstrates a significant evolution in Chinese cyber operations — combining rapid adoption of a new Windows exploit, sophisticated social engineering, and stealthy malware deployment through legitimate software.

“The campaign represents a tactical evolution incorporating the exploitation of ZDI-CAN-25373, a Windows shortcut vulnerability disclosed in March 2025, alongside refined social engineering leveraging authentic diplomatic conference themes,” the report stated.

UNC6384, recently documented by Google’s Threat Intelligence Group, has traditionally focused on Southeast Asian diplomatic targets. However, Arctic Wolf’s findings show a strategic shift toward Europe, with attacks impersonating European Commission meetings, NATO workshops, and EU border facilitation conferences to gain access to government systems.

Arctic Wolf attributes the operation with high confidence to UNC6384, citing “multiple converging lines of evidence including malware tooling, tactical procedures, targeting alignment, and infrastructure overlaps with previously documented UNC6384 operations.”

Notably, this expansion aligns with the People’s Republic of China’s (PRC) strategic intelligence goals to monitor EU defense cooperation, cross-border infrastructure, and diplomatic coordination, particularly amid Europe’s heightened security posture following the war in Ukraine.

The attack chain begins with spearphishing emails containing URLs that deliver malicious Windows LNK (shortcut) files. These files exploit ZDI-CAN-25373, a Windows shortcut vulnerability disclosed in March 2025 by Trend Micro’s Zero Day Initiative, allowing covert command execution via whitespace padding in the command-line arguments structure.

“UNC6384 rapidly adopted the ZDI-CAN-25373 Windows vulnerability within six months of its March 2025 disclosure,” Arctic Wolf noted. “This demonstrates the group’s capability to rapidly integrate newly disclosed vulnerabilities into operational tradecraft.”

Upon execution, the LNK file launches obfuscated PowerShell commands that extract and deploy multiple components — including a legitimate Canon printer utility, a malicious DLL, and an encrypted PlugX payload. A decoy PDF document is simultaneously displayed, imitating a genuine European Commission meeting agenda, maintaining the illusion of legitimacy while the malware installs in the background.

The final payload deployed through this campaign is PlugX, a remote access trojan (RAT) with a long history among Chinese APT groups, including Mustang Panda (TEMP.Hex).

The attack exploits the DLL side-loading technique — abusing a legitimate Canon-signed binary (cnmpaui.exe) to load a malicious DLL (cnmpaui.dll) from the same directory. This DLL decrypts the PlugX payload stored as an RC4-encrypted blob (cnmplog.dat), loading it into memory to avoid detection.

The malware provides attackers with remote access, file exfiltration, keylogging, and command execution capabilities, allowing for covert intelligence collection on diplomatic activities.

“PlugX malware deployed via in-memory execution establishes a persistent remote-access capability within targeted environments, enabling covert intelligence collection,” the report explains.

Arctic Wolf also noted that PlugX’s MSGInitialize export function employs control-flow flattening and custom API hashing, techniques that complicate static analysis and hinder malware detection.

Arctic Wolf identified multiple command-and-control (C2) domains used in the operation, including:

• racineupci[.]org
• dorareco[.]net
• naturadeco[.]net
• cseconline[.]org
• vnptgroup[.]it.com
• paquimetro[.]net

Each domain communicates over HTTPS port 443 using valid Let’s Encrypt certificates, lending further legitimacy and complicating network-based detection.

The infrastructure shows patterns consistent with state-sponsored operational security, using geographically distributed hosting providers and domains resembling legitimate organizations.

Arctic Wolf’s telemetry confirmed that Hungarian and Belgian diplomats were primary targets, with additional evidence pointing to Serbian, Italian, and Dutch government entities being affected.

One lure, titled “Agenda_Meeting 26 Sep Brussels.lnk,” referenced an authentic European Commission meeting on cross-border trade. Another, “EPC invitation letter Copenhagen 1-2 October 2025.pdf,” was linked to the European Political Community Summit in Copenhagen.

These themes align closely with EU defense and trade priorities, underscoring UNC6384’s focus on intelligence surrounding NATO readiness, European supply chain resilience, and policy coordination within EU frameworks.

“The geographic and thematic focus of this campaign indicates intelligence collection priorities aligned with PRC strategic interests in European defense cooperation, cross-border infrastructure development, and multilateral diplomatic coordination,” Arctic Wolf wrote.

Arctic Wolf observed a rapid evolution in the malware loader, dubbed CanonStager, shrinking from 700KB to just 4KB in size between September and October 2025 — a drastic optimization suggesting active refinement to evade detection.

The earlier variant contained complex threading and message queue functionality, while the streamlined 4KB version removed nonessential features, relying on API hashing, PEB traversal, and RC4 decryption to execute payloads — minimizing its forensic footprint.

Arctic Wolf assesses with high confidence that the operation is conducted by UNC6384, an actor linked to China’s Mustang Panda, sharing PlugX variants, infrastructure, and targeting overlaps.

The campaign’s speed in weaponizing a six-month-old vulnerability and its expansion into Europe reflect a broader Chinese intelligence effort aimed at monitoring European political cohesion, defense strategy, and trade policy.

“Successful long-term compromise enables collection of strategic intelligence concerning European foreign policy development, defense cooperation initiatives, economic policy coordination, negotiating positions for international agreements, internal assessments of geopolitical situations, and relationship dynamics within multilateral frameworks,” the report warned.

Related Posts:

• Google Threat Intelligence Exposes UNC6384’s Stealthy Espionage Campaign
• PlugX malware: The Enigma of Cyber Espionage Unveiled
• “PlugX” Malware Deleted from Thousands of Computers in Global Operation
• France Leads International Effort to Eradicate PlugX Trojan from 3,000 Systems
• Print Security Warning: Canon Printers Exposed to Data Theft