Cyber spies linked to the Chinese government exploited a Windows shortcut vulnerability disclosed in March – but that Microsoft hasn’t fixed yet – to target European diplomats in an effort to steal defense and national security details.
Security firm Arctic Wolf attributed the espionage campaign to UNC6384 (aka Mustang Panda, Twill Typhoon), and in research published Thursday detailed how the suspected PRC spies used social engineering and the Windows flaw to deploy PlugX malware against personnel attending diplomatic conferences in September and October.
“This campaign demonstrates UNC6384’s capability for rapid vulnerability adoption within six months of public disclosure, advanced social engineering leveraging detailed knowledge of diplomatic calendars and event themes, and operational expansion from traditional Southeast Asia targeting to European diplomatic entities,” the Arctic Wolf Labs threat research team said.
[…]
Zero Day Initiative threat hunter Peter Girnus discovered and reported this flaw to Microsoft in March, and said it had been abused as a zero-day as far back as 2017, with 11 state-sponsored groups from North Korea, Iran, Russia, and China abusing ZDI-CAN-25373 for cyber espionage and data theft purposes.
Blame ZDI-CAN-25373
The attacks begin with phishing emails using very specific themed lures around European defense and security cooperation and cross-border infrastructure development. Those emails delivered a weaponized LNK file which exploited ZDI-CAN-25373 (aka CVE-2025-9491), a Windows shortcut vulnerability, to let the attackers secretly execute commands by adding whitespace padding within the LNK file’s COMMAND_LINE_ARGUMENTS structure.
The malicious files, such as one named Agenda_Meeting 26 Sep Brussels.lnk, use diplomatic conference themes as lures along with a decoy PDF document, in this case displaying a real European Commission meeting agenda on facilitating the free movement of goods at border crossing points between the EU and Western Balkan countries.
The LNK file, when executed, invokes PowerShell to decode and extract a tar (tape archive) archive containing three files to enable the attack chain via DLL side-loading, a malware delivery technique favored by several Chinese government crews, including Salt Typhoon.
DLL sideloading exploits the Windows DLL search order by tricking an application into loading a malicious DLL instead of the legitimate one.
The three files include a legitimate, but expired, Canon printer assistant utility with a valid digital signature issued by Symantec. Although the certificate expired in April 2018, Windows trusts binaries whose signatures include a valid timestamp, so this allows the attackers to bypass security tools and deliver malware using DLL sideloading.
The malicious DLL functions as a loader to decrypt and execute the third file in the archive, cnmplog.dat, which contains the encrypted PlugX payload.
PlugX, which has been around since at least 2008, is a Remote Access Trojan (RAT) that gives attackers all the remote access capabilities including command execution, keylogging, file uploading and downloading, persistent access, and system reconnaissance.
“This three-stage execution flow completes the deployment of PlugX malware running stealthily within a legitimate signed process, significantly reducing the likelihood of detection by endpoint security solutions,” the researchers wrote.
[…]
Source: Suspected Chinese snoops weaponize unpatched Windows flaw • The Register
