UNC6384 Weaponizes ZDI-CAN-25373 Vulnerability to Deploy PlugX Against Hungarian and Belgian Diplomatic Entities

Description

Chinese-affiliated threat actor UNC6384 is conducting a cyber espionage campaign targeting European diplomatic entities, particularly in Hungary and Belgium. The group exploits the ZDI-CAN-25373 Windows vulnerability to deliver PlugX malware through spearphishing emails with malicious LNK files. The campaign uses diplomatic conference themes as lures and employs DLL side-loading of legitimate Canon printer utilities. UNC6384 has expanded its operations from Southeast Asia to Europe, demonstrating rapid adoption of new vulnerabilities and refined social engineering techniques. The malware provides persistent remote access for intelligence collection on European foreign policy, defense cooperation, and economic matters. This campaign highlights the evolving capabilities of Chinese cyber espionage efforts and their strategic focus on diplomatic targets.