A Chinese threat actor has been exploiting an unpatched Windows shortcut vulnerability in recent attacks aimed at the diplomatic community across Europe, according to a report from Arctic Wolf.
The Unpatched Windows Flaw
The exploited security flaw, tracked as CVE-2025-9491, is classified as a user interface (UI) misrepresentation issue. The core problem is that Windows fails to display critical security information when a user inspects the file's properties. This missing information could otherwise provide evidence of malicious activity.
The attacks observed by Arctic Wolf involve distributing LNK files designed to execute malicious code the moment the victim opens them. The attackers exploit CVE-2025-9491 to ensure the malicious code remains invisible to a user who attempts to look at the file's properties for inspection.
The vulnerability was reported to Microsoft by Trend Micro’s Zero Day Initiative (ZDI) in September 2024. However, Microsoft declined to release a patch, stating that the issue did not meet the bar for servicing. In line with its disclosure policy, ZDI publicly released information on the vulnerability in March of this year.
At that time, ZDI warned that 11 state-sponsored APT groups from countries including North Korea, Russia, China, and Iran were already abusing specially crafted LNK files in attacks targeting critical sectors like defense, energy, government, and finance. Microsoft countered in March that users rarely inspect file properties for malicious code and claimed its Defender product was capable of detecting this technique. The tech giant also noted that opening such a file downloaded from the internet should automatically trigger a security warning.
Targeting European Diplomats
Arctic Wolf now reports that UNC6384, a Chinese threat actor linked to the Mustang Panda APT, has been actively exploiting CVE-2025-9491 in attacks since September 2025. This group is also tracked under names such as Basin and Twill Typhoon.
The hacking group is targeting European diplomats with spear phishing emails containing an embedded URL. This URL initiates an infection chain that ultimately delivers the PlugX remote access trojan (RAT).
At one stage of the infection, malicious LNK files are dropped onto the victim's system. These files are typically themed around sensitive topics such as European Commission meetings, NATO related workshops, and multilateral diplomatic coordination events to encourage the victim to open them.
The exploit allows UNC6384 to execute PowerShell commands, drop a legitimate signed Canon printer utility, and then abuse that utility to execute PlugX via DLL sideloading.
Arctic Wolf Labs assesses with high confidence that the campaign is attributable to UNC6384, based on converging evidence including the malware tooling, tactical procedures, targeting alignment, and infrastructure overlaps with previously documented operations by the group.
In September and October, Arctic Wolf observed UNC6384 exploiting the bug in attacks aimed at Hungarian and Belgian diplomatic personnel. The company also linked the campaign to the targeting of Serbian government aviation departments and diplomatic entities in both Italy and the Netherlands.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
