TZUTC: -0500   
   MSGID: 1664.consprcy@1:2320/105 2d6f47eb   
   PID: Synchronet 3.21a-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0   
   TID: SBBSecho 3.28-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0   
   BBSID: CAPCITY2   
   CHRS: ASCII 1   
   FORMAT: flowed   
   Chinese hackers target European diplomats with Windows zero-day flaw   
      
   Date:   
   Mon, 03 Nov 2025 15:19:00 +0000   
      
   Description:   
   Hungarian and Serbian diplomats targeted despite their country's good   
   relationship with China.   
      
   FULL STORY   
      
   Chinese state-sponsored threat actors have been abusing a Windows zero-day   
   vulnerability to target diplomats across the European continent, security   
   researchers are warning.    
      
   Security researchers Arctic Wolf Labs recently said they observed a   
   nation-state actor known as Mustang Panda (UNC6384) sending out    
   spear-phishing emails to diplomats in Hungary, Belgium, Serbia, Italy, and    
   the Netherlands.    
      
   Curiously enough, among the victims are Hungary and Serbia, two countries who   
   have strong ties with China and are, in many things, considered Chinese    
   allies and partners - although in August 2025 it was revealed that China was   
   spying on yet another major ally - Russia .   
      
   Abusing .LNK files    
      
   The phishing emails were themed around NATO defense procurement workshops,   
   European Commission border facilitation meetings, and other similar    
   diplomatic events, the researchers explained.    
      
   These carried a malicious .LNK file which, through the abuse of    
   CVE-2025-9491, was built to deploy a Remote Access Trojan (RAT) called PlugX.   
   This RAT gives its operators persistent access to the compromised system, as   
   well as the ability to eavesdrop on communication, exfiltrate files, and    
   more.    
      
   The bug stems from the way Windows handles shortcut files and is described as   
   a UI misrepresentation issue in the Shell Link mechanism. It lets a crafted   
   .LNK file hide the real command line so a different, malicious command runs   
   when the user runs, or previews, the shortcut.    
      
   Since exploitation requires user interaction, the bug was given a relatively   
   low severity score of 7.8/10 (high). Still, researchers found hundreds   
   (possibly even thousands) of .LNK samples, tying the flaw to long-running   
   espionage campaigns, with some examples dating back to 2017.    
      
   "Arctic Wolf Labs assesses with high confidence that this campaign is   
   attributable to UNC6384, a Chinese-affiliated cyber espionage threat actor,"   
   the researchers said.    
      
   "This attribution is based on multiple converging lines of evidence including   
   malware tooling, tactical procedures, targeting alignment, and infrastructure   
   overlaps with previously documented UNC6384 operations."    
      
    Via BleepingComputer    
      
   ======================================================================   
   Link to news story:   
   https://www.techradar.com/pro/security/chinese-hackers-target-european-diploma   
   ts-with-windows-zero-day-flaw   
      
   $$   
   --- SBBSecho 3.28-Linux   
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)   
   SEEN-BY: 105/81 106/201 128/187 129/14 305 153/7715 154/110 218/700   
   SEEN-BY: 226/30 227/114 229/110 206 300 307 317 400 426 428 470 664   
   SEEN-BY: 229/700 705 266/512 291/111 320/219 322/757 342/200 396/45   
   SEEN-BY: 460/58 633/280 712/848 902/26 2320/0 105 304 3634/12 5075/35   
   PATH: 2320/105 229/426