The China-linked hacking group UNC6384 (aka Mustang Panda) is conducting a large-scale cyber-espionage campaign targeting European diplomatic and government entities. According to Arctic Wolf and StrikeReady, the hackers are exploiting an unpatched Windows vulnerability related to LNK shortcuts.
Attacks were observed in Hungary, Belgium, Italy, the Netherlands, and Serbia between September and October 2025.
According to the researchers, the attacks begin with targeted phishing emails containing URLs to malicious LNK files. The subjects of these emails are typically related to NATO workshops on defense procurement, European Commission meetings on streamlining border control, and other multilateral diplomatic events.
Malicious files exploit the CVE-2025-9491 vulnerability (7.0 on the CVSS scale), which is triggered when processing Windows shortcut files. The bug allows attackers to hide malicious command-line arguments inside .LNK files by using whitespace padding in the COMMAND_LINE_ARGUMENTS structure. As a result, it enables arbitrary code execution on vulnerable devices without the user’s knowledge.
If the victim opens such a file, a PowerShell command is executed that decodes and extracts the contents of a TAR archive while simultaneously displaying a PDF lure to the user. The archive contains the legitimate Canon Printer Assistant utility, a malicious DLL named CanonStager, and an encrypted payload of the PlugX malware (cnmplog.dat), which is deployed using the DLL side-loading technique.
PlugX (also known as Destroy RAT, Kaba, Korplug, SOGU, and TIGERPLUG) is a remote access trojan (RAT) that gives attackers full control over an infected system. The malware can execute commands, capture keystrokes, upload and download files, establish persistence by modifying the Windows Registry, and conduct extensive reconnaissance.
PlugX’s modular architecture allows its operators to extend the trojan’s functionality through plugins designed for specific tasks. The malware also uses anti-analysis and anti-debugging techniques to make investigation more difficult and remain undetected.
According to Arctic Wolf researchers, they have observed an evolution in the attackers’ toolkit — CanonStager artifacts have shrunk in size from 700 KB to 4 KB, indicating active development and the minimization of digital footprints. In addition, it is noted that in early September the group began using HTML Application (HTA) files to load JavaScript that retrieves payloads from a cloudfront[.]net subdomain.
Notably, the CVE-2025-9491 issue has existed since at least 2017 and is actively used by numerous hacking groups. Public discussion of the bug’s exploitation first surfaced in March 2025. At that time, Trend Micro analysts discovered that the vulnerability was being widely used by eleven “government” hacking groups and other cybercriminals, including Evil Corp, APT43 (Kimsuky), Bitter, APT37, Mustang Panda, SideWinder, RedHotel, and Konni.
However, despite widespread exploitation, Microsoft developers have yet to release a patch for CVE-2025-9491. In March, company representatives said they would “consider addressing the issue,” but noted that the vulnerability does not fall into the category requiring immediate intervention. Microsoft also noted that Defender includes detections to block such activity, and Smart App Control provides additional protection.
Since there is still no official patch, Arctic Wolf specialists recommend restricting or blocking the use of LNK files in Windows, blocking connections to the hackers’ command-and-control infrastructure identified by the researchers, and strengthening monitoring for suspicious activity across networks.