A newly uncovered cyber espionage campaign, attributed to China-linked hackers group UNC6384, has infiltrated diplomatic networks across Hungary, Belgium, Serbia, Italy, and the Netherlands — marking one of the most advanced PlugX malware deployments seen to date. According to Arctic Wolf Labs, the attackers leveraged a Windows shortcut (LNK) vulnerability and signed Canon software to deliver the malware, combining legitimate tools with malicious payloads for near-undetectable infiltration. The operation underscores how state-aligned threat actors are integrating stealth, legitimacy, and geopolitical targeting at scale.
Targeting Diplomats with Legitimate Software and Precision
The campaign relied on EU- and NATO-themed phishing emails, masquerading as official invitations. Once opened, the malicious LNK file triggered a PowerShell script that fetched a compressed archive disguised as a Canon software update. Inside the archive were three files — a signed Canon executable, a malicious DLL loader, and an encrypted PlugX payload. This allowed the attackers to exploit DLL side-loading, running malicious code under the guise of a trusted process. Because the Canon executable was legitimately signed by Symantec, the malware evaded most antivirus detections and operated entirely in system memory.
Technical Evolution: Smaller, Faster, Harder to Trace
Between September and October 2025, researchers noted that UNC6384’s CanonStager loader had shrunk from 700KB to a mere 4KB — a dramatic downsizing that improved deployment speed and left minimal forensic traces. The group also operated distributed C2 infrastructure, hosted on legitimate-looking domains and encrypted HTTPS channels, to hide communications. The campaign’s precision and timing suggest multiple coordinated sub-teams operating under a unified command, likely linked to China’s Mustang Panda cluster — known for espionage against government, defence, and policy entities.
Implications for Europe’s Diplomatic Security
Cybersecurity analysts warn this attack represents a significant escalation in state-sponsored intelligence collection against Western governments. The operation’s focus on diplomatic cables, classified communications, and inter-agency documents highlights a long-term intelligence objective rather than immediate disruption. Experts fear that such campaigns — exploiting legitimate software and zero-day vulnerabilities — can persist undetected for months, compromising sensitive information that shapes regional and global policy.
The Broader Takeaway: Trusted Software, Weaponized
The UNC6384 campaign reflects a growing pattern in modern espionage: abusing trust chains instead of brute-force breaches. By leveraging signed binaries and legitimate corporate assets, threat actors can bypass even sophisticated endpoint defences. For enterprises and governments alike, this means that supply chain integrity and code-signing verification must become central to cyber defence strategy — not just firewalls and detection tools.
