- Mustang Panda used CVE-2025-9491 to attack European diplomats through phishing and malicious .LNK files
- Exploited Windows Shell Link Flaw Deploys PlugX RAT for Persistent Access and Data Exfiltration
- Hundreds of samples link zero-day to long-running Chinese espionage campaigns dating back to at least 2017.
Chinese state-sponsored threat actors have been abusing a Windows zero-day vulnerability to attack diplomats across the European continent, security researchers warn.
Security researchers Arctic Wolf Labs recently said they observed a nation-state actor known as Mustang Panda (UNC6384) sending phishing emails to diplomats in Hungary, Belgium, Serbia, Italy and the Netherlands.
Interestingly, the victims include Hungary and Serbia, two countries that have strong ties to China and are, in many ways, considered allies and partners of China, although in August 2025 it was revealed that China was spying on another important ally: Russia.
Abusing .LNK files
The phishing emails were themed around NATO defense procurement workshops, European Commission border facilitation meetings and other similar diplomatic events, the researchers explained.
These carried a malicious .LNK file that, through abuse of CVE-2025-9491, was created to deploy a Remote Access Trojan (RAT) called PlugX. This RAT gives its operators persistent access to the compromised system, as well as the ability to listen to communications, exfiltrate files, and more.
The bug is caused by the way Windows handles shortcut files and is described as a UI distortion issue in the Shell Link mechanism. It allows a crafted .LNK file to hide the actual command line so that a different malicious command is executed when the user executes or previews the shortcut.
Since the exploit requires user interaction, the bug received a relatively low severity score of 7.8/10 (high). Still, researchers found hundreds (possibly even thousands) of .LNK samples, linking the flaw to long-running spy campaigns, with some examples dating back to 2017.
“Arctic Wolf Labs assesses with high confidence that this campaign is attributable to UNC6384, a China-affiliated cyberespionage threat actor,” the researchers said.
“This attribution is based on multiple converging lines of evidence including malware tools, tactical procedures, target alignment, and infrastructure overlays with previously documented UNC6384 operations.”
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
