Chinese-affiliated threat actor UNC6384 has been actively leveraging a critical Windows shortcut vulnerability to target European diplomatic entities across Hungary, Belgium, Serbia, Italy, and the Netherlands.<\/p>\n
Arctic Wolf researchers identified this sophisticated cyber espionage campaign operating throughout September and October 2025, representing a significant evolution in the group\u2019s operational capabilities and geographic reach.<\/p>\n
The attack begins with carefully crafted spearphishing emails containing URLs that deliver malicious LNK files<\/a> disguised as legitimate diplomatic conference agendas.<\/p>\n These files reference authentic European Commission meetings, NATO defense procurement workshops, and multilateral coordination events.<\/p>\n When users click these seemingly innocent shortcuts, a critical flaw in Windows shortcut handling enables silent command execution that most detection systems fail to catch.<\/p>\n UNC6384 rapidly adopted the ZDI-CAN-25373 vulnerability within just six months of its March 2025 public disclosure, demonstrating exceptional operational agility and vulnerability tracking capabilities.<\/p>\n Arctic Wolf analysts detected<\/a> the malware after the second paragraph of research, noting the sophisticated infection mechanism that builds a complex multi-stage attack chain designed to evade traditional security defenses.<\/p>\n The exploitation mechanism cleverly abuses whitespace padding within the LNK file\u2019s COMMAND_LINE_ARGUMENTS structure to hide malicious commands from user visibility.<\/p>\n Upon execution, the compromised shortcut silently invokes PowerShell to extract and decompress a tar archive containing three critical components: a legitimate, digitally signed Canon printer utility, a malicious DLL loader, and an encrypted PlugX remote access trojan payload.<\/p>\n The attack chain employs DLL side-loading<\/a>, exploiting standard Windows library search order processes. When the Canon executable launches, it instinctively searches for supporting libraries in its local directory before checking system folders.<\/p>\n The malicious DLL positioned there transparently loads, then decrypts the PlugX payload using a hardcoded RC4 key and injects it directly into the legitimate process\u2019s memory space, creating a nearly undetectable persistent backdoor.<\/p>\n The PlugX malware establishes encrypted HTTPS command and control connections using randomized parameters across multiple redundant domains including racineupci[.]org and dorareco[.]net.<\/p>\n The malware creates hidden persistence directories with spoofed names like \u201cSamsungDriver\u201d and modifies Windows registry Run keys, ensuring continued access across system restarts.<\/p>\n This campaign demonstrates nation-state level sophistication, combining zero-day exploitation knowledge with meticulous social engineering<\/a> targeting specific diplomatic personnel and events, representing a substantial intelligence collection threat to European government operations.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post Hackers Weaponizing Windows LNK File UI Misrepresentation Remote Code Execution Vulnerability<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEihzM916W9n2_oUkD6t5CvR72c0OkZQ-Hsst3-yxCinsXvuFpf_Ghpbj73icnS6oh2_AdF57ib6hMdHiFJ8MbmKt2mfABvsHEIrDXfyRiN2PPCqa43uq3Kjw2Nj4Bqh5djL8VydMonrKsdI6MHao7MYbF2JL8BTZpuj3hjlK9QR_hPWfaOm1zQzuhSbmNA\/s16000\/Execution%2520chain%2520%28Source%2520-%2520Arctic%2520Wolf%29.webp?ssl=1\")
Technical Infection Mechanism and Payload Delivery<\/strong><\/h2>\n