UNC6384 Targets European Diplomatic Entities With Windows Exploit

TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTogether, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.The spear-phishing campaign uses fake European Commission and NATO-themed lures to trick diplomatic personnel into clicking malicious links.October 31, 2025UNC6384, a China-linked threat actor, has been targeting European diplomatic entities in Hungary and Belgium in a cyber-espionage campaign since September.The group incorporated the exploitation of CVE-2025-9491, a high-severity Windows vulnerability, in its attacks, alongside what Arctic Wolf researchers are referring to as "refined social engineering."The researchers note that the group's willingness to use vulnerabilities that are publicly known and have been actively exploited by multiple nation-state actors indicates that the group is confident in its success even with increased defender awareness.The attack chain first starts with spear-phishing emails containing a URL that ultimately delivers malicious LNK files. These files are meant to imitate European Commission meetings, as well as NATO-related workshops and diplomatic events, with authentic details designed to lure targeted individuals.  The files exploit the Windows vulnerability before executing obfuscated PowerShell commands that deploy a malware chain. This ultimately results in the deployment of PlugX remote access Trojan (RAT).The campaign, according to Arctic Wolf researchers, is expanding across the broader diplomatic community within Europe, such as Italy and the Netherlands, as well as government agencies in Serbia. UNC6384's previous activity involved targeting diplomats in Southeast Asia.Related:SonicWall Firewall Backups Stolen by Nation-State ActorThe group specializes in the deployment of PlugX malware variants, which the researchers consider a favorite tool among Chinese threat actors. PlugX, which was first observed in 2008, allows for a variety of a remote access capabilities, including command execution, persistence establishment, keylogging, and more. The malware is also known as Destroy RAT, SOGU, Kaba, Korplug, and TIGERPLUG and is capable of implementing anti-analysis techniques and anti-debugging checks to evade detection.At the start of this year, the US Justice Department and the FBI concluded its efforts in deleting the PlugX malware off of thousands of devices globally. The operation targeted the work of threat groups such as Mustang Panda and Twill Typhoon, which used the malware to infect users' devices and steal information. Now, as UNC6384 continues to rapidly adopt vulnerability exploits and other techniques, as well as expand globally, users and organizations will need to implement mitigation measures. To mitigate such attacks, the researchers recommend organizations, especially those in government and diplomatic sectors, review and block the command-and-control (C2) infrastructures listed in the report, conduct searches across endpoint environments, and continue security awareness training.Related:Nikkei Suffers Breach Via Slack CompromiseShould these threat actors become successful in their attacks, this could lead to long term implications such as "exfiltration of classified or sensitive documents, monitoring of real-time policy discussions and decision-making processes, collection of credentials for accessing diplomatic networks and partner systems, and surveillance of diplomatic calendars and travel plans" the researchers wrote in the report.Kristina BeekAssociate Editor, Dark ReadingSkilled writer and editor covering cybersecurity for Dark Reading.2025 DigiCert DDoS Biannual ReportDigiCert RADAR - Risk Analysis, Detection & Attack ReconnaissanceThe Total Economic Impact of DigiCert ONEIDC MarketScape: Worldwide Exposure Management 2025 Vendor AssessmentThe Forrester Wave™: Unified Vulnerability Management Solutions, Q3 2025How AI & Autonomous Patching Eliminate Exposure RisksThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesYou May Also LikeNov 13, 2025How AI & Autonomous Patching Eliminate Exposure RisksThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesPKI Modernization WhitepaperEDR v XDR v MDR- The Cybersecurity ABCs ExplainedHow to Chart a Path to Exposure Management MaturitySecurity Leaders' Guide to Exposure Management StrategyThe NHI Buyers GuideCopyright © 2025 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.