Chinese hackers have been spotted targeting European diplomats using a longstanding Windows shortcut vulnerability that’s been popular with threat groups as far back as 2017.
According to security company Arctic Wolf, whose researchers uncovered the latest campaign, the latest attacks saw spear phishing emails sent to officials working for the governments of Hungary, Belgium, Serbia, Italy, and The Netherlands during September and October.
The Chinese government-operated group suspected of being behind the campaign is named UNC6384 by the Google Threat Intelligence Group (GTIG). The same group is believed to have targeted diplomats of several Asian countries earlier in 2025, which might give the impression that UNC6384 is a recently discovered threat actor, hence its UNC (“uncategorized”) status.
However, Arctic Wolf said it believed the group’s tools, techniques, and procedures (TTPs) strongly resemble those of a known Chinese threat group, “Mustang Panda,” which has been around since 2012.
On the face of it, this looks like just another Chinese cyber-espionage campaign against foreign governments. But there is a deeper story: the Windows vulnerability used in the campaign, which Microsoft has so far been unwilling – or unable – to patch.
Ghost flaw
According to Arctic Wolf, the latest campaign used spear phishing emails with diplomatic themes to lure targets into executing malicious Windows .LNK shortcut files. The vulnerability stems from a flaw in Windows UI parsing that allows command-line instructions to be hidden in .LNK format whitespace.
This allows the attackers to launch a sequence of malicious actions while displaying a decoy PDF showing the agenda for a genuine European Commission meeting scheduled to have been held in Brussels on September 26. The result is the deployment of the PlugX remote access Trojan, which has been popular since 2008 as a tool for opening backdoors into Windows systems.
Trend Micro told Microsoft about the weakness in September 2024, after which it was given a CVE-2025-9491 identifier. However, it turns out that the company’s Zero Day Initiative (ZDI) had noticed the same issue in 2017, when it was given a separate internal ‘candidate’ identifier, ZDI-CAN-25373.
“The vulnerability has been exploited by state-sponsored APT groups from North Korea, Iran, Russia, and China,” said Trend Micro in a March 2018 blog.
Despite there being a formal CVE, Microsoft appears reluctant to address the issue. As Trend Micro noted in a more recent blog from 2025, “We submitted a proof-of-concept exploit through Trend ZDI’s bug bounty program to Microsoft, who declined to address this vulnerability with a security patch.”
That reluctance probably stems from the fact that CVE-2025-9491/ZDI-CAN-25373 would be difficult to patch without breaking legacy applications that depend on its current design.
Mitigation
In the absence of a patch, organizations worried about .LNK attacks should consider blocking .LNK files or disabling their execution in Windows Explorer, Arctic Wolf advised.
“This should be put in place across all Windows systems, prioritizing endpoints used by personnel with access to sensitive diplomatic or policy information. While this vulnerability was disclosed in March 2025, adoption by threat actors within months of disclosure necessitates urgent monitoring and countermeasures,” it said.
Organizations could also block the command and control (C2) domains used by attackers, although these will change over time. In addition, Arctic Wolf recommends that IT teams search for the presence of Canon printer assistant utilities such as cnmpaui.exe, which are part of the campaign’s exploit chain.
“The breadth of targeting across multiple European nations within a condensed timeframe suggests either a large-scale coordinated intelligence collection operation or deployment of multiple parallel operational teams with shared tooling but independent targeting,” Arctic Wolf noted, adding that the fact that UNC6384 had jumped on the flaw so quickly since it was made public earlier in 2025 suggested that the group had access to advanced capabilities and resources.
It’s not as if attacks exploiting Windows shortcut files in different ways are terribly new or innovative. During 2025, they’ve been abused in different ways by Russian cyber-campaigns against Ukraine, Chinese attacks using the Remcos RAT, and to target companies in the United Arab Emirates (UAE). In June the technique was used to hide payloads in attacks abusing the Cloudflare Tunnel service. The issue is really that this type of flaw, which exploits an otherwise useful feature, is simply difficult to patch.