Hackers are actively exploiting a zero-day vulnerability in Windows for which no security update is available.
-
Hackers are actively exploiting a Windows zero-day vulnerability for which Microsoft has not yet released a security fix.
-
Chinese-affiliated threat actor UNC6384 is targeting European diplomats using sophisticated spearphishing campaigns delivering malicious .LNK files.
-
Multiple cybercrime groups are exploiting the same vulnerability, indicating its serious nature despite Microsoft's assessment.
A Chinese-affiliated threat actor called UNC6384 targeted European diplomats in Belgium, Hungary, and other European Member States in September and October 2025. They abused a zero-day vulnerability (CVE-2025-9491) to execute arbitrary code remotely on targeted Windows systems.
According to cybersecurity firm Arctic Wolf Labs, the attack chain began with spearphishing emails containing an embedded URL that aimed to deliver malicious .LNK files themed around European Commission meetings, NATO-related workshops, and multilateral diplomatic coordination events.
The email led to a fake Microsoft login page, where the target could download a zip file containing a malware-infected .LNK file. As soon as the target opened the .LNK file, a real PDF document was displayed as a diversion, while the PlugX malware was installed in the background. The malware was able to steal all kinds of sensitive data from the system, including communications.
“These files exploit the recently disclosed Windows vulnerability to execute obfuscated PowerShell commands that extract and deploy a multi-stage malware chain, culminating in PlugX remote access trojan (RAT) deployment through DLL side-loading of legitimate signed Canon printer assistant utilities,” security researchers say.
The espionage campaign is attributed to a Chinese state-backed threat group called UNC6384, which has well-established associations with the People’s Republic of China (PRC) hacking groups like Mustang Panda, also known as TEMP.Hex. UN6384 specializes in deploying variants of PlugX malware.
“Arctic Wolf Labs assesses with high confidence that this campaign is attributable to UNC6384. This attribution is based on multiple converging lines of evidence, including malware tooling, tactical procedures, targeting alignment, and infrastructure overlaps with previously documented UNC6384 operations,” the cybersecurity company states.
The zero-day vulnerability was first discovered and analyzed by Trend Micro in March 2025. Security researchers found that the vulnerability was already being exploited by numerous cybercrime operations, including Evil Corp, Mustang Panda, SideWinder, and APT37. However, Microsoft said that the vulnerability wasn’t serious enough for an emergency patch.
As of writing, there’s no official patch for the vulnerability. Users are therefore advised to restrict the usage of .LNK files from questionable sources and block connections from C2 infrastructure identified by Arctic Wolf Labs.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked