{"id":5687,"date":"2025-11-06T08:50:21","date_gmt":"2025-11-06T08:50:21","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=5687"},"modified":"2025-11-06T08:50:21","modified_gmt":"2025-11-06T08:50:21","slug":"chinese-hackers-target-western-diplomats-using-hard-to-patch-windows-shortcut-flaw","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=5687","title":{"rendered":"Chinese hackers target Western diplomats using hard-to-patch Windows shortcut flaw"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Chinese hackers have been spotted targeting European diplomats using a longstanding Windows shortcut vulnerability that\u2019s been popular with threat groups as far back as 2017.<\/p>\n

According to security company Arctic Wolf<\/a>, whose researchers uncovered the latest campaign, the latest attacks saw spear phishing emails sent to officials working for the governments of Hungary, Belgium, Serbia, Italy, and The Netherlands during September and October.<\/p>\n

The Chinese government-operated group suspected of being behind the campaign is named UNC6384 by the Google Threat Intelligence Group (GTIG). The same group is believed to have targeted diplomats of several Asian countries earlier in 2025, which might give the impression that UNC6384 is a recently discovered threat actor, hence its UNC (\u201cuncategorized\u201d) status.<\/p>\n

However, Arctic Wolf said it believed the group\u2019s tools, techniques, and procedures (TTPs) strongly resemble those of a known Chinese threat group, \u201cMustang Panda,\u201d which has been around since 2012.<\/p>\n

On the face of it, this looks like just another Chinese cyber-espionage campaign against foreign governments. But there is a deeper story: the Windows vulnerability used in the campaign, which Microsoft has so far been unwilling \u2014 or unable \u2014 to patch.<\/p>\n

Ghost flaw<\/h2>\n

According to Arctic Wolf, the latest campaign used spear phishing emails with diplomatic themes to lure targets into executing malicious Windows .LNK shortcut files. The vulnerability stems from a flaw in Windows UI parsing that allows command-line instructions to be hidden in .LNK format whitespace<\/a>.<\/p>\n

This allows the attackers to launch a sequence of malicious actions while displaying a decoy PDF showing the agenda for a genuine European Commission meeting scheduled to have been held in Brussels on September 26. The result is the deployment of the PlugX remote access Trojan, which has been popular since 2008 as a tool for opening backdoors into Windows systems.<\/p>\n

Trend Micro told Microsoft about the weakness in September 2024, after which it was given a CVE-2025-9491<\/a> identifier. However, it turns out that the company\u2019s Zero Day Initiative (ZDI) had noticed the same issue in 2017, when it was given a separate internal \u2018candidate\u2019 identifier, ZDI-CAN-25373<\/a>.<\/p>\n

\u201cThe vulnerability has been exploited by state-sponsored APT groups from North Korea, Iran, Russia, and China,\u201d said Trend Micro in a March 2018 blog<\/a>.<\/p>\n

Despite there being a formal CVE, Microsoft appears reluctant to address the issue. As Trend Micro noted in a more recent blog from 2025, \u201cWe submitted a proof-of-concept exploit through Trend ZDI\u2019s bug bounty program to Microsoft, who declined to address this vulnerability with a security patch.\u201d<\/p>\n

That reluctance probably stems from the fact that CVE-2025-9491\/ZDI-CAN-25373 would be difficult to patch without breaking legacy applications that depend on its current design.<\/p>\n

On November 1, the day after this article was first published, Microsoft released an advisory notice on Windows LNK file UI behavior<\/a>. In it, the company reiterated that it does not consider this a vulnerability. <\/p>\n

The advisory noted that .lnk files cannot be delivered via browser unless packaged in a .zip file that is then opened by the user. \u201cAttempting to open a .lnk file downloaded from the Internet automatically triggers a security warning advising users not to open files from unknown sources, and we strongly recommend heeding this warning,\u201d Microsoft said in the advisory. \u201cDouble-clicking on a .lnk file produces a warning stating that the file format is not trusted; a victim must click through this prompt,\u201d it added.<\/p>\n

\u201cDue to the user interaction involved and the fact that the system already warns users that this format is untrusted, Microsoft does not consider this a vulnerability\u201d it concluded.<\/p>\n

Mitigation<\/h2>\n

In the absence of a patch, organizations worried about .LNK attacks should consider blocking .LNK files or disabling their execution in Windows Explorer, Arctic Wolf advised.<\/p>\n

\u201cThis should be put in place across all Windows systems, prioritizing endpoints used by personnel with access to sensitive diplomatic or policy information. While this vulnerability was disclosed in March 2025, adoption by threat actors within months of disclosure necessitates urgent monitoring and countermeasures,\u201d it said.<\/p>\n

Organizations could also block the command and control (C2) domains used by attackers, although these will change over time. In addition, Arctic Wolf recommends that IT teams search for the presence of Canon printer assistant utilities such as cnmpaui.exe<\/em>, which are part of the campaign\u2019s exploit chain.<\/p>\n

\u00a0\u201cThe breadth of targeting across multiple European nations within a condensed timeframe suggests either a large-scale coordinated intelligence collection operation or deployment of multiple parallel operational teams with shared tooling but independent targeting,\u201d Arctic Wolf noted, adding that the fact that UNC6384 had jumped on the flaw so quickly since it was made public earlier in 2025 suggested that the group had access to advanced capabilities and resources.<\/p>\n

It\u2019s not as if attacks exploiting Windows shortcut files in different ways are terribly new or innovative. During 2025, they\u2019ve been abused in different ways by Russian cyber-campaigns<\/a> against Ukraine, Chinese attacks<\/a> using the Remcos RAT, and to target companies in the United Arab Emirates (UAE)<\/a>. In June the technique was used to hide payloads in attacks abusing the Cloudflare Tunnel service<\/a>. The issue is really that this type of flaw, which exploits an otherwise useful feature, is simply difficult to patch.<\/p>\n

This article was updated on November 6 with information about a new advisory notice from Microsoft.<\/em><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Chinese hackers have been spotted targeting European diplomats using a longstanding Windows shortcut vulnerability that\u2019s been popular with threat groups as far back as 2017. According to security company Arctic Wolf, whose researchers uncovered the latest campaign, the latest attacks saw spear phishing emails sent to officials working for the governments of Hungary, Belgium, Serbia, […]<\/p>\n","protected":false},"author":0,"featured_media":5625,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-5687","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5687"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5687"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5687\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/5625"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5687"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5687"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5687"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}