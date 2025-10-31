Attacks exploiting a yet-to-be-patched Windows shortcut flaw disclosed earlier this year were deployed by threat operation UNC6384 , which has been linked with Chinese advanced persistent threat operation Mustang Panda, to compromise Belgian, Hungarian, Italian, and Dutch diplomats, as well as Serbian government aviation agencies, as part of a cyberespionage campaign from September to October, according to The Register

UNC6384 delivered phishing emails with European defense and security cooperation lures to spread a malicious LNK file exploiting the Windows shortcut flaw, tracked as CVE-2025-9491, to invoke PowerShell and trigger an attack chain concluding with the covert injection of the PlugX remote access trojan, a report from Arctic Wolf Labs showed.

"This campaign demonstrates UNC6384's capability for rapid vulnerability adoption within six months of public disclosure, advanced social engineering leveraging detailed knowledge of diplomatic calendars and event themes, and operational expansion from traditional Southeast Asia targeting to European diplomatic entities," said researchers.