Ethical Hacking News
A China-linked threat actor has been linked to a series of attacks exploiting an unpatched Windows shortcut vulnerability, targeting European diplomatic and government entities between September and October 2025. The attack chain began with spear-phishing emails containing embedded URLs that led to the delivery of malicious LNK files themed around European Commission meetings, NATO-related workshops, and multilateral diplomatic coordination events.
A China-affiliated threat actor has exploited an unpatched Windows shortcut vulnerability to target European diplomatic and government entities between September and October 2025.The attack chain began with spear-phishing emails containing embedded URLs that led to the delivery of malicious LNK files.The malicious LNK files were designed to exploit ZDI-CAN-25373, a vulnerability first reported in March 2025.The attack used PlugX malware, a remote access trojan also referred to as Destroy RAT, Kaba, Korplug, SOGU, and TIGERPLUG.Microsoft Defender and Smart App Control provide protection against this threat activity.The attackers aimed to target European diplomatic entities involved in defense cooperation, cross-border policy coordination, and multilateral diplomatic frameworks.The attacks highlight the need for organizations to prioritize their cybersecurity posture and ensure software is up-to-date with the latest security patches.
China-Linked Hackers Exploit Windows Shortcut Flaw to Target European Diplomats
A recent series of attacks by a China-affiliated threat actor has been linked to the exploitation of an unpatched Windows shortcut vulnerability, which targeted European diplomatic and government entities between September and October 2025. The attack chain began with spear-phishing emails containing embedded URLs that led to the delivery of malicious LNK files themed around European Commission meetings, NATO-related workshops, and multilateral diplomatic coordination events.
The malicious LNK files were designed to exploit ZDI-CAN-25373, a vulnerability that has been put to use by multiple threat actors as far back as 2017 to execute hidden malicious commands on a victim's machine. The files triggered a multi-stage attack chain that culminated in the deployment of the PlugX malware using DLL side-loading. PlugX is a remote access trojan that is also referred to as Destroy RAT, Kaba, Korplug, SOGU, and TIGERPLUG.
The latest attack wave used phishing emails with diplomatic lures to entice recipients into opening a bogus attachment that was designed to exploit ZDI-CAN-25373. The existence of the bug was first reported by security researchers Peter Girnus and Aliakbar Zahravi in March 2025. A subsequent report from HarfangLab found that the shortcoming has also been abused by a cyber espionage cluster known as XDSpy to distribute a Go-based malware called XDigo in attacks targeting Eastern European governmental entities in March 2025.
Microsoft told The Hacker News that Microsoft Defender has detections in place to detect and block this threat activity, and that Smart App Control provides an extra layer of protection by blocking malicious files from the Internet. Specifically, the LNK file was designed to launch a PowerShell command to decode and extract the contents of a TAR archive and simultaneously display a decoy PDF document to the user.
The archive contained three files: A legitimate Canon printer assistant utility, a malicious DLL dubbed CanonStager that was sideloaded using the binary, and an encrypted PlugX payload ("cnmplog.dat") that was launched by the DLL. The malware provided comprehensive remote access capabilities including command execution, keylogging, file upload and download operations, persistence establishment, and extensive system reconnaissance functions.
Arctic Wolf said that the CanonStager artifacts found in early September and October 2025 had witnessed a steady decline in size from approximately 700 KB to 4 KB, indicating active development and its evolution into a minimal tool capable of achieving its goals without leaving much of a forensic footprint. Furthermore, in what's being perceived as a refinement of the malware delivery mechanism, UNC6384 has been found to leverage an HTML Application (HTA) file in early September to load an external JavaScript that, in turn, retrieves the malicious payloads from a cloudfront[.]net subdomain.
The campaign's focus on European diplomatic entities involved in defense cooperation, cross-border policy coordination, and multilateral diplomatic frameworks aligns with PRC strategic intelligence requirements concerning European alliance cohesion, defense initiatives, and policy coordination mechanisms. This is evident from the use of specific themes around European Commission meetings, NATO-related workshops, and multilateral diplomatic coordination events.
The use of phishing emails with diplomatic lures to entice recipients into opening a bogus attachment that was designed to exploit ZDI-CAN-25373 highlights the increasing sophistication of the threat actors involved. The exploitation of an unpatched Windows shortcut vulnerability by China-linked hackers further underscores the need for organizations to prioritize their cybersecurity posture and ensure that all software is up-to-date with the latest security patches.
In conclusion, the recent series of attacks by a China-affiliated threat actor highlights the importance of staying vigilant in the face of evolving cyber threats. Organizations must prioritize their cybersecurity posture and ensure that all software is up-to-date with the latest security patches to prevent similar incidents from occurring in the future.
A China-linked threat actor has been linked to a series of attacks exploiting an unpatched Windows shortcut vulnerability, targeting European diplomatic and government entities between September and October 2025. The attack chain began with spear-phishing emails containing embedded URLs that led to the delivery of malicious LNK files themed around European Commission meetings, NATO-related workshops, and multilateral diplomatic coordination events.
Related Information:
https://www.ethicalhackingnews.com/articles/China-Linked-Hackers-Exploit-Windows-Shortcut-Flaw-to-Target-European-Diplomats-ehn.shtml
https://thehackernews.com/2025/10/china-linked-hackers-exploit-windows.html
Published: Fri Oct 31 09:42:12 2025 by llama3.2 3B Q4_K_M
