Chinese-linked Hackers Exploit Windows Flaw To Spy On Belgian ...

Researchers at Arctic Wolf Labs have discovered a cyber espionage campaign targeting European diplomatic entities in Hungary, Belgium and additional European nations.

The activity was observed in September and October 2025 and attributed to UNC6384, a cluster likely linked to Chinese-affiliated group Mustang Panda, also known as TEMP.Hex.

The campaign included refined social engineering leveraging authentic diplomatic conference themes as well as the exploitation of ZDI-CAN-25373, a Windows shortcut vulnerability disclosed in March 2025, said an Arctic Wolf report, published on October 30.

The threat actor deployed a multi-stage malware chain and involved the PlugX remote access trojan (RAT), a malicious payload typical of Chinese -affiliated threat actors.

The attack begins with targeted spear phishing emails themed around diplomatic meetings and conferences.

These spear phishing emails lead to the delivery of malicious LNK files, which exploit ZDI-CAN-25373, a Windows shortcut vulnerability that allows the threat actor to execute commands covertly by adding whitespace padding within the COMMAND_LINE_ARGUMENTS structure.

When executed, the LNK file invokes PowerShell with an obfuscated command that decodes a tar archive file named rjnlzlkfe.ta, which it saves it to the AppData\Local\Temp directory. The PowerShell command then extracts the tar archive using tar.exe -xvf and initiates execution of the contained cnmpaui.exe file.

In parallel, each LNK file opened a decoy PDF document using diplomatic conference themes as lures, including Agenda_Meeting 26 Sep Brussels.lnk, which references a European Commission meeting on facilitating the free movement of goods at EU-Western Balkans border crossing points that was scheduled for September 26, 2025, in Brussels.

The extracted tar archive contains three critical files that enable the attack chain through DLL side-loading, a technique that abuses the Windows DLL search order to load malicious code through legitimate applications.

These include a legitimate Canon printer assistant utility that possesses a digital signature from Canon Inc., signed with a certificate issued by Symantec Class 3 SHA256 Code Signing CA. While the certificate has been expired since 2018, it is still recognized by Windows.

Source: InfoSecurity Magazine