- Mustang Panda used CVE-2025-9491 to target European diplomats via phishing and malicious .LNK files
- Exploited Windows Shell Link Flaw Deploys PlugX RAT for Persistent Access and Data Exfiltration
- Hundreds of samples link zero-day to long-running Chinese spying campaigns since at least 2017
Chinese state-sponsored threat actors have abused a Windows zero-day vulnerability to target diplomats across the European continent, security researchers warn.
Security researchers at Arctic Wolf Labs recently said they observed a state actor known as Mustang Panda (UNC6384) sending spear phishing emails to diplomats in Hungary, Belgium, Serbia, Italy and the Netherlands.
Interestingly, among the victims are Hungary and Serbia, two countries that have close ties to China and are, in many ways, considered allies and partners of China – although in August 2025, it was revealed that China was spying on yet another major ally: Russia.
Abusing .LNK Files
The phishing emails were themed around NATO workshops on defense procurement, European Commission meetings on border facilitation and other similar diplomatic events, the researchers said.
These contained a malicious .LNK file which, through abuse of CVE-2025-9491, was created to deploy a remote access trojan (RAT) called PlugX. This RAT gives its operators persistent access to the compromised system, as well as the ability to eavesdrop on communications, exfiltrate files, and more.
The bug stems from the way Windows handles shortcut files and is described as a UI misrepresentation issue in the Shell Link mechanism. It allows a fake .LNK file to hide the real command line so that a different, malicious command executes when the user runs or previews the shortcut.
Since exploitation requires user interaction, the bug received a relatively low severity score of 7.8/10 (high). Yet researchers found hundreds (if not thousands) of .LNK samples, linking the flaw to long-running espionage campaigns, with some examples dating back to 2017.
“Arctic Wolf Labs believes with high confidence that this campaign is attributable to UNC6384, a cyberespionage threat actor affiliated with China,” the researchers said.
“This attribution is based on several converging lines of evidence, including malicious tools, tactical procedures, targeting alignment, and infrastructure overlaps with previously documented UNC6384 operations.”
Via BeepComputer
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
