Subj : Chinese hackers target Eu
To   : All
From : Mike Powell
Date : Tue Nov 04 2025 09:19:23

Chinese hackers target European diplomats with Windows zero-day flaw

Date:
Mon, 03 Nov 2025 15:19:00 +0000

Description:
Hungarian and Serbian diplomats targeted despite their country's good
relationship with China.

FULL STORY

Chinese state-sponsored threat actors have been abusing a Windows zero-day
vulnerability to target diplomats across the European continent, security
researchers are warning. 

Security researchers Arctic Wolf Labs recently said they observed a
nation-state actor known as Mustang Panda (UNC6384) sending out 
spear-phishing emails to diplomats in Hungary, Belgium, Serbia, Italy, and 
the Netherlands. 

Curiously enough, among the victims are Hungary and Serbia, two countries who
have strong ties with China and are, in many things, considered Chinese 
allies and partners - although in August 2025 it was revealed that China was
spying on yet another major ally - Russia .

Abusing .LNK files 

The phishing emails were themed around NATO defense procurement workshops,
European Commission border facilitation meetings, and other similar 
diplomatic events, the researchers explained. 

These carried a malicious .LNK file which, through the abuse of 
CVE-2025-9491, was built to deploy a Remote Access Trojan (RAT) called PlugX.
This RAT gives its operators persistent access to the compromised system, as
well as the ability to eavesdrop on communication, exfiltrate files, and 
more. 

The bug stems from the way Windows handles shortcut files and is described as
a UI misrepresentation issue in the Shell Link mechanism. It lets a crafted
..LNK file hide the real command line so a different, malicious command runs
when the user runs, or previews, the shortcut. 

Since exploitation requires user interaction, the bug was given a relatively
low severity score of 7.8/10 (high). Still, researchers found hundreds
(possibly even thousands) of .LNK samples, tying the flaw to long-running
espionage campaigns, with some examples dating back to 2017. 

"Arctic Wolf Labs assesses with high confidence that this campaign is
attributable to UNC6384, a Chinese-affiliated cyber espionage threat actor,"
the researchers said. 

"This attribution is based on multiple converging lines of evidence including
malware tooling, tactical procedures, targeting alignment, and infrastructure
overlaps with previously documented UNC6384 operations." 

 Via BleepingComputer 

======================================================================
Link to news story:
https://www.techradar.com/pro/security/chinese-hackers-target-european-diploma
ts-with-windows-zero-day-flaw

$$
--- SBBSecho 3.28-Linux
 * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)

.