PlugX provides broad espionage capabilities including command execution, file transfer, keylogging and persistence, all executed in memory while masquerading as legitimate processes.

The campaign signals broader cybersecurity risks beyond diplomacy, potentially affecting critical infrastructure due to Windows ubiquity and lack of a patch at the time.

The operation began with spearphishing emails referencing European Commission meetings, NATO workshops, and multilateral diplomacy, targeting several European governments and institutions including Serbia, Italy, and the Netherlands.

Attackers use convincing fake meeting agendas and travel documents to coax diplomats into opening malicious files, leveraging an unpatched Windows shortcut bug that executes hidden commands when a user clicks an icon.

Microsoft has not yet released a patch, prompting recommendations for enhanced monitoring, behavioral analytics, proactive threat hunting and zero-trust architectures.

Delivery methods include HTA files and external JavaScript fetching payloads from a cloudfront subdomain, showing evolving toolchain and ongoing development.

Arctic Wolf links UNC6384 to Mustang Panda with ties in tools, infrastructure, and objectives, noting tactical evolution and cross-border reach.

The infrastructure uses multiple domains mimicking legitimate services, with Let’s Encrypt certificates; malware creates hidden folders and persists via the Windows Registry Run key.

PlugX operates in a memory-resident variant (SOGU.SEC) to gain remote access, execute commands, log keystrokes, exfiltrate data, and conduct system reconnaissance, aided by a modular architecture and anti-analysis protections.

Additional defensive measures call for mitigating DLL side-loading, memory-resident malware, and ongoing threat hunting for stealthy tooling.

Defensive guidance includes disabling automatic resolution of .lnk files, blocking identified C2 domains, scanning for Canon printer utilities in unusual locations, and pursuing proactive threat hunting and security awareness training to detect spearphishing with ordinary-looking calendar invites.

A legitimate but expired printer utility with a valid digital signature is used to bypass some security tools and aid malware delivery due to Windows’ trust in timestamping.

This report references Asger Risom and notes possible AI assistance in preparing the summary.

Microsoft notes Defender detections and Smart App Control can help block these threats, underscoring defense-in-depth for organizations handling sensitive diplomatic data.

A Chinese-linked hacking group known as UNC6384 is exploiting a Windows zero-day, CVE-2025-9491, to target European diplomats in Hungary, Belgium and other European nations.

Arctic Wolf Labs observed rapid evolution of the CanonStager loader, shrinking from about 700KB to 4KB between September and October to evade detections and sustain persistence.