- Mustang Panda used CVE-2025-9491 to target European diplomats via phishing and malicious .LNK files
- Exploited Windows Shell Link flaw deploys PlugX RAT for persistent access and data exfiltration
- Hundreds of samples link Zero Day to long-running Chinese espionage campaigns since at least 2017
Chinese state-sponsored threat actors have abused a Windows zero-day vulnerability to target diplomats across the European continent, security researchers warn.
Security researchers Arctic Wolf Labs recently said they observed a nation-state actor known as Mustang Panda (UNC6384) sending spear-phishing emails to diplomats in Hungary, Belgium, Serbia, Italy and the Netherlands.
Curiously, among the victims are Hungary and Serbia, two countries that have strong ties to China and are in many ways considered Chinese allies and partners – although in August 2025 it was revealed that China was spying on another major ally – Russia.
Abusing .LNK files
Phishing emails were the theme of NATO defense procurement workshops, European Commission border facilitation meetings and other similar diplomatic events, the researchers explained.
These had a malicious .LNK file that, through exploiting CVE-2025-9491, was built to deploy a Remote Access Trojan (RAT) called PlugX. This RAT gives its operators persistent access to the compromised system, as well as the ability to eavesdrop on communications, exfiltrate files, and more.
The bug stems from the way Windows handles shortcut files and is described as a user interface mis-rendering problem in the Shell Link mechanism. It lets a crafted .LNK file hide the real command line so that a different, malicious command runs when the user runs or previews the shortcut.
Since exploitation requires user interaction, the bug was given a relatively low severity rating of 7.8/10 (high). Still, researchers found hundreds (possibly even thousands) of .LNK samples that linked the flaw to long-running espionage campaigns, with some examples dating back as far as 2017.
“Arctic Wolf Labs assesses with high confidence that this campaign is attributable to UNC6384, a Chinese-affiliated cyber espionage threat actor,” the researchers said.
“This attribution is based on multiple converging lines of evidence, including malware tools, tactical procedures, targeting alignment, and infrastructure overlaps with previously documented UNC6384 operations.”
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
