Suspected Chinese snoops weaponize unpatched Windows flaw to spy on European diplomats
- Reference: 1761852013
- News link: https://www.theregister.co.uk/2025/10/30/suspected_chinese_snoops_abuse_unpatched/
- Source link:
Security firm Arctic Wolf attributed the espionage campaign to UNC6384 (aka Mustang Panda, Twill Typhoon), and in research published Thursday detailed how the suspected PRC spies used social engineering and the Windows flaw to deploy PlugX malware against personnel attending diplomatic conferences in September and October.
"This campaign demonstrates UNC6384's capability for rapid vulnerability adoption within six months of public disclosure, advanced social engineering leveraging detailed knowledge of diplomatic calendars and event themes, and operational expansion from traditional Southeast Asia targeting to European diplomatic entities," the Arctic Wolf Labs threat research team [1]said .
[2]
[3]UNC6384 is a suspected Beijing-backed crew that, according to Google's Threat Intelligence Group, targeted diplomats in Southeast Asia earlier this year before ultimately deploying the [4]PlugX backdoor – a [5]long-time favorite of Beijing-backed goon squads that allows them to remotely access and control infected machines, steal files, and deploy additional malware.
[6]
[7]
In its latest campaign, UNC6384 targeted diplomats in Belgium, Hungary, Italy, and the Netherlands, along with Serbian government aviation departments during September and October 2025, according to Arctic Wolf.
Zero Day Initiative threat hunter [8]Peter Girnus discovered and reported this flaw to Microsoft in March, and said it had been [9]abused as a zero-day as far back as 2017, with 11 state-sponsored groups from North Korea, Iran, Russia, and China abusing ZDI-CAN-25373 for cyber espionage and data theft purposes.
Blame ZDI-CAN-25373
The attacks begin with phishing emails using very specific themed lures around European defense and security cooperation and cross-border infrastructure development. Those emails delivered a weaponized LNK file which exploited ZDI-CAN-25373 (aka [10]CVE-2025-9491 ), a Windows shortcut vulnerability, to let the attackers secretly execute commands by adding whitespace padding within the LNK file's COMMAND_LINE_ARGUMENTS structure.
The malicious files, such as one named Agenda_Meeting 26 Sep Brussels.lnk, use diplomatic conference themes as lures along with a decoy PDF document, in this case displaying a real European Commission meeting agenda on facilitating the free movement of goods at border crossing points between the EU and Western Balkan countries.
[11]
The LNK file, when executed, invokes PowerShell to decode and extract a [12]tar (tape archive) archive containing three files to enable the attack chain via DLL side-loading, a malware delivery technique favored by several Chinese government crews, including [13]Salt Typhoon .
DLL sideloading exploits the Windows DLL search order by tricking an application into loading a malicious DLL instead of the legitimate one.
[14]FBI wipes Chinese PlugX malware from thousands of Windows PCs in America
[15]Google issued 'State-backed attack in progress' warnings after spotting web hijack scheme
[16]Salt Typhoon hit governments on three continents with SharePoint attacks
[17]Major telecom supplier compromised by unnamed nation-state attackers
The three files include a legitimate, but expired, Canon printer assistant utility with a valid digital signature issued by Symantec. Although the certificate expired in April 2018, Windows trusts binaries whose signatures include [18]a valid timestamp , so this allows the attackers to bypass security tools and deliver malware using DLL sideloading.
The malicious DLL functions as a loader to decrypt and execute the third file in the archive, cnmplog.dat, which contains the encrypted PlugX payload.
PlugX, which has been around since at least 2008, is a Remote Access Trojan (RAT) that gives attackers all the remote access capabilities including command execution, keylogging, file uploading and downloading, persistent access, and system reconnaissance.
[19]
"This three-stage execution flow completes the deployment of PlugX malware running stealthily within a legitimate signed process, significantly reducing the likelihood of detection by endpoint security solutions," the researchers wrote.
Microsoft did not immediately respond to The Register 's inquiries about Chinese and other nation-state exploiting ZDI-CAN-25373, nor if or when it plans to fix the security flaw.®
Get our [20]Tech Resources
[1] https://arcticwolf.com/resources/blog/unc6384-weaponizes-zdi-can-25373-vulnerability-to-deploy-plugx/
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aQPuEl3L8mit-q54wJgvxQAAAQM&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://www.theregister.com/2025/08/27/google_china_captive_portal_hijack_warning/
[4] https://www.theregister.com/2025/01/14/fbi_french_cops_boot_chinas/
[5] https://www.theregister.com/2023/03/01/plugx_dll_loading_malware/
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aQPuEl3L8mit-q54wJgvxQAAAQM&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aQPuEl3L8mit-q54wJgvxQAAAQM&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[8] https://www.zerodayinitiative.com/advisories/ZDI-25-148/
[9] https://www.trendmicro.com/en_us/research/25/c/windows-shortcut-zero-day-exploit.html
[10] https://nvd.nist.gov/vuln/detail/CVE-2025-9491
[11] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aQPuEl3L8mit-q54wJgvxQAAAQM&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[12] https://en.wikipedia.org/wiki/Tar_(computing)
[13] https://www.theregister.com/2025/10/22/salt_typhoon_sharepoint_attacks/
[14] https://www.theregister.com/2025/01/14/fbi_french_cops_boot_chinas/
[15] https://www.theregister.com/2025/08/27/google_china_captive_portal_hijack_warning/
[16] https://www.theregister.com/2025/10/22/salt_typhoon_sharepoint_attacks/
[17] https://www.theregister.com/2025/10/29/major_telco_networking_provider_compromised/
[18] https://learn.microsoft.com/en-us/visualstudio/deployment/clickonce-and-authenticode?view=vs-2022#timestamps
[19] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aQPuEl3L8mit-q54wJgvxQAAAQM&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[20] https://whitepapers.theregister.com/
Re: Is Jessica Lyons job solely to concentrate on alleged Chinese cyber spies?
I would like to read one article from her about American cyber spies
Oh dear... you seem to have misunderstand how reporters work in non-authoritarian countries.
She reports - this time what "Arctic Wolf Labs threat research team said."
If no-one is putting out similar articled about those Damn Yankees, then she cannot cannot report it.
Perhaps a good expose about how they were caught snooping on Angela Merkel, or something more up to date.
Exposé? It was revealed by Snowden, reported here 12 years ago.
https://www.theregister.com/2013/11/26/merkel_phone_tapped_by_5_countries/
makes me think Jessica Lyons is part of the CIA spying industrial complex.
No why would you get so upset of the many exposed (suspected) Chinese spying cases? Would you like there to be no reporting of the Chinese spies ?
Re: Is Jessica Lyons job solely to concentrate on alleged Chinese cyber spies?
Perhaps a good expose about how they were caught snooping on Angela Merkel
Why would they not snoop on Russian asset? That would be abdication of duty.
Re: Is Jessica Lyons job solely to concentrate on alleged Chinese cyber spies?
@VoiceOfLies
Is your remit to pass the same shit every time?
Can't be arsed to link to yet another story about the Chinese claiming other nations spying in them, you're clearly unable to think and remember for yourself.
"Windows trusts binaries whose signatures..."
It can't do otherwise, and it's not specific to Windows. Signing certifcates are valid for one year, if signed executables with expired certificates became untrusted it would be a nightmare. It's just lke document signatures, the signature has to be valid at the time the document was signed. The only other option would be certificates with a long life, which would have their own issues. Or use a blockchain....
Windows. Like an abusive spouse. Can't stand it, and apparently can't live without it.
Yet another fault dealing with those pesky .LNK files. I think they were invented because Unix (pre Linux) had soft links and the Gates crew came up with a seat-o-the-pants solution. They ended up being excellent ways for creatives to trick the unsuspecting into clicking/executing.
Re: Windows. Like an abusive spouse. Can't stand it, and apparently can't live without it.
Cue in people saying "you can create a little partition for Windows so you can run your CAD software there and for anything else just boot to Linux"
Is Jessica Lyons job solely to concentrate on alleged Chinese cyber spies?
I would like to read one article from her about American cyber spies. Perhaps a good expose about how they were caught snooping on Angela Merkel, or something more up to date.
You see, when the article title is about spying on European diplomats and there is no mention of the USA doing the same, it makes me think Jessica Lyons is part of the CIA spying industrial complex.