- Mustang Panda used CVE-2025-9491 to assault European diplomats via phishing and malicious .LNK information
- Exploited Windows Shell Link Flaw Deploys PlugX RAT for Persistent Access and Data Exfiltration
- Hundreds of samples hyperlink zero-day to long-running Chinese espionage campaigns courting again to at the least 2017.
Chinese state-sponsored risk actors have been abusing a Windows zero-day vulnerability to assault diplomats throughout the European continent, safety researchers warn.
Security researchers Arctic Wolf Labs not too long ago stated they noticed a nation-state actor generally known as Mustang Panda (UNC6384) sending phishing emails to diplomats in Hungary, Belgium, Serbia, Italy and the Netherlands.
Interestingly, the victims embrace Hungary and Serbia, two nations which have sturdy ties to China and are, in some ways, thought-about allies and companions of China, though in August 2025 it was revealed that China was spying on one other necessary ally: Russia.
Abusing .LNK information
The phishing emails had been themed round NATO protection procurement workshops, European Commission border facilitation conferences and different comparable diplomatic occasions, the researchers defined.
These carried a malicious .LNK file that, via abuse of CVE-2025-9491, was created to deploy a Remote Access Trojan (RAT) known as PlugX. This RAT offers its operators persistent entry to the compromised system, in addition to the power to take heed to communications, exfiltrate information, and extra.
The bug is brought on by the way in which Windows handles shortcut information and is described as a UI distortion challenge within the Shell Link mechanism. It permits a crafted .LNK file to cover the precise command line so {that a} completely different malicious command is executed when the consumer executes or previews the shortcut.
Since the exploit requires consumer interplay, the bug acquired a comparatively low severity rating of seven.8/10 (excessive). Still, researchers discovered tons of (probably even hundreds) of .LNK samples, linking the flaw to long-running spy campaigns, with some examples courting again to 2017.
“Arctic Wolf Labs assesses with excessive confidence that this marketing campaign is attributable to UNC6384, a China-affiliated cyberespionage risk actor,” the researchers stated.
“This attribution relies on a number of converging traces of proof together with malware instruments, tactical procedures, goal alignment, and infrastructure overlays with beforehand documented UNC6384 operations.”
Through beepcomputer
