UNC6384 Weaponizes ZDI-CAN-25373 Vulnerability to Deploy PlugX Against Hungarian and Belgian Diplomatic Entities
Essential information
- Published
- 31/10/2025 08:35
- Modified
- 31/10/2025 09:45
- Tags
- 2025-10-31 canonstager diplomatic targeting dll side-loading plugx spearphishing zdi-can-25373
- Related entities
- 26 observables, 1 intrusion sets (apt), 5 techniques (mitre), 8 malware, 6 others
Description
Chinese-affiliated threat actor UNC6384 is conducting a cyber espionage campaign targeting European diplomatic entities, particularly in Hungary and Belgium. The group exploits the ZDI-CAN-25373 Windows vulnerability to deliver PlugX malware through spearphishing emails with malicious LNK files. The campaign uses diplomatic conference themes as lures and employs DLL side-loading of legitimate Canon printer utilities. UNC6384 has expanded its operations from Southeast Asia to Europe, demonstrating rapid adoption of new vulnerabilities and refined social engineering techniques. The malware provides persistent remote access for intelligence collection on European foreign policy, defense cooperation, and economic matters. This campaign highlights the evolving capabilities of Chinese cyber espionage efforts and their strategic focus on diplomatic targets.