UNC6384 Exploits Zero-Day to Target European Diplomats

Arctic Wolf researchers found an active cyber-espionage operation by Chinese-affiliated actor UNC6384 targeting European diplomatic entities, notably in Hungary and Belgium.

The campaign operationalizes a Windows shortcut vulnerability and culminates in PlugX remote access trojan (RAT) deployment via DLL side-loading of signed Canon utilities.

Campaign Overview

UNC6384 blends refined social engineering with rapid vulnerability adoption. 

Spearphishing emails reference authentic diplomatic events — European Commission meetings, NATO-related workshops, and European Political Community activities — to entice recipients into launching malicious LNK files. 

Exploitation of ZDI-CAN-25373 enables covert command execution through whitespace padding in the LNK COMMAND_LINE_ARGUMENTS structure.

Upon execution, the weaponized LNK invokes obfuscated PowerShell to decode and extract a .tar archive into %AppData%\Local\Temp, displays a legitimate PDF decoy, and runs a signed Canon printer assistant binary (cnmpaui.exe). 

UNC6384 then abuses Windows DLL search order to side-load a malicious cnmpaui.dll, which decrypts an RC4-protected blob (cnmplog.dat) and reflectively loads PlugX into the trusted Canon process. 

The resulting in-memory execution grants persistence, command execution, file operations, keylogging, and reconnaissance. 

Arctic Wolf researchers noted the samples showed the CanonStager loader shrinking from ~700 KB to ~4 KB between early September and October 2025, indicating active refactoring to reduce forensic footprint and evade detection.

Command-and-Control (C2)

Command-and-control (C2) communications leverage WinHTTP over TLS (port 443) with domains including racineupci[.]org, dorareco[.]net, naturadeco[.]net, cseconline[.]org, vnptgroup[.]it.com, and paquimetro[.]net. 

Domains use legitimate-looking names and common certificate authorities to blend with benign traffic while rotating endpoints for redundancy.

Confirmed targeting includes Hungarian and Belgian diplomatic personnel, with related activity against Serbian, Italian, and Dutch entities. 

The lures align with defense cooperation, cross-border trade facilitation, and multilateral coordination — topics consistent with the People’s Republic of China’s strategic intelligence priorities.

A Fast-Moving, State-Aligned Espionage Actor

Arctic Wolf Labs assesses with high confidence that UNC6384 is responsible, citing overlaps in tooling (PlugX/SOGU.SEC), DLL side-loading techniques, targeting patterns, and infrastructure with activity clusters previously linked to Chinese nexus operators. 

Google’s Threat Intelligence Group also documents UNC6384’s persistence and notes affinities with Mustang Panda/TEMP.Hex in tradecraft and objectives.

The six-month window from public disclosure of ZDI-CAN-25373 to operational use illustrates UNC6384’s capacity to weaponize emerging vulnerabilities on compressed timelines. 

Parallel delivery methods, like spearphishing and captive-portal/adversary-in-the-middle techniques, demonstrate flexible access strategies tailored to diplomatic environments. 

If successful, long-term PlugX footholds enable collection of sensitive policy documents, negotiation positions, credentials, and calendar/travel intelligence with clear national-security implications for European governments.

Mitigations to Disrupt PlugX Activity

To mitigate the risks associated with this campaign, organizations should leverage the following actions:

• Restrict or disable .lnk file execution from untrusted sources to prevent automatic resolution and malicious code execution.
• Block known C2 domains and monitor DNS and web traffic for related connection attempts.
• Hunt for Canon binaries (cnmpaui.exe) running from non-standard directories, especially when paired with cnmpaui.dll or cnmplog.dat.
• Tighten DLL side-loading controls through application allow-listing and restricted DLL search paths.
• Enhance behavioral detections for reflective loading, RC4 decryption activity, and abnormal WinHTTP network behavior.
• Reinforce phishing awareness training, particularly during high-profile or politically sensitive events.
• Consider managed detection and response (MDR) for continuous monitoring and rapid containment if 24×7 security operations are unavailable.

Implementing these measures can help organizations detect and disrupt PlugX activity before it escalates and build cyber resilience. 

Blending Speed, Sophistication, and Deception

UNC6384’s activity across Europe illustrates how state-aligned threat groups blend technical agility with credible social engineering to sustain espionage operations. 

The group’s rapid weaponization of ZDI-CAN-25373, paired with mature payload delivery and C2 resilience, demonstrates a well-resourced capability. 

In response, defenders should prioritize mitigating LNK-based execution chains, DLL side-loading vectors, and memory-resident implants, while reinforcing user training and accelerating vendor coordination for long-term remediation.