Chinese hackers target European diplomats with Windows zero-day flaw

News
By published

Diplomats targeted across the continent

Flag of the People's Republic of China overlaid with a technological network of wires and circuits.
(Image credit: Shutterstock)
  • Mustang Panda used CVE-2025-9491 to target European diplomats via phishing and malicious .LNK files
  • Exploited Windows Shell Link flaw deploys PlugX RAT for persistent access and data exfiltration
  • Hundreds of samples link the zero-day to long-running Chinese espionage campaigns since at least 2017

Chinese state-sponsored threat actors have been abusing a Windows zero-day vulnerability to target diplomats across the European continent, security researchers are warning.

Security researchers Arctic Wolf Labs recently said they observed a nation-state actor known as Mustang Panda (UNC6384) sending out spear-phishing emails to diplomats in Hungary, Belgium, Serbia, Italy, and the Netherlands.

Curiously enough, among the victims are Hungary and Serbia, two countries who have strong ties with China and are, in many things, considered Chinese allies and partners - although in August 2025 it was revealed that China was spying on yet another major ally - Russia.

Abusing .LNK files

The phishing emails were themed around NATO defense procurement workshops, European Commission border facilitation meetings, and other similar diplomatic events, the researchers explained.

These carried a malicious .LNK file which, through the abuse of CVE-2025-9491, was built to deploy a Remote Access Trojan (RAT) called PlugX. This RAT gives its operators persistent access to the compromised system, as well as the ability to eavesdrop on communication, exfiltrate files, and more.

The bug stems from the way Windows handles shortcut files and is described as a UI misrepresentation issue in the Shell Link mechanism. It lets a crafted .LNK file hide the real command line so a different, malicious command runs when the user runs, or previews, the shortcut.

Since exploitation requires user interaction, the bug was given a relatively low severity score of 7.8/10 (high). Still, researchers found hundreds (possibly even thousands) of .LNK samples, tying the flaw to long-running espionage campaigns, with some examples dating back to 2017.

"Arctic Wolf Labs assesses with high confidence that this campaign is attributable to UNC6384, a Chinese-affiliated cyber espionage threat actor," the researchers said.

"This attribution is based on multiple converging lines of evidence including malware tooling, tactical procedures, targeting alignment, and infrastructure overlaps with previously documented UNC6384 operations."

Via BleepingComputer

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.