**LNK Files Exploited in Windows Shell Link Flaw Deploy PlugX RAT for Persistent Access and Data Exfiltration**
Security researchers have uncovered the exploitation of a Windows zero-day vulnerability by Chinese state-sponsored threat actors, targeting diplomats across Europe. This ongoing espionage campaign has been active since at least 2017 and involves the deployment of the PlugX Remote Access Trojan (RAT) via malicious .LNK files.
### Chinese Espionage Campaign Targets European Diplomats
Arctic Wolf Labs recently reported observing spear-phishing emails sent by a nation-state actor known as Mustang Panda (UNC6384) targeting diplomats in Hungary, Belgium, Serbia, Italy, and the Netherlands. Notably, some victims belong to countries with strong diplomatic and economic ties to China, such as Hungary and Serbia. This operation sheds light on the complex geopolitical espionage landscape, especially following revelations in August 2025 that China was spying on its ally Russia.
### The Exploitation of .LNK Files
The spear-phishing emails were crafted around themes like NATO defense procurement workshops and European Commission border facilitation meetings—topics likely to entice diplomatic officials. These emails contained malicious .LNK files exploiting the CVE-2025-9491 vulnerability to deploy the PlugX RAT.
This bug arises from a flaw in the Windows Shell Link mechanism, specifically a UI misrepresentation issue. It allows a specially crafted .LNK file to disguise the actual command line, running a malicious command instead when a user opens or previews the shortcut. While user interaction is necessary for exploitation, the vulnerability has been assigned a high severity score of 7.8/10.
### PlugX RAT Enables Persistent Access and Data Theft
Once deployed, PlugX provides attackers with persistent access to the compromised system. It allows for eavesdropping on communications, exfiltration of sensitive files, and further system manipulation.
### Long-Running Espionage Campaign Linked to UNC6384
Researchers have identified hundreds, if not thousands, of malicious .LNK samples, some dating back to 2017, tying the vulnerability exploitation to long-term Chinese espionage operations.
“Arctic Wolf Labs assesses with high confidence that this campaign is attributable to UNC6384, a Chinese-affiliated cyber espionage threat actor,” the report states. This conclusion is based on multiple factors, including malware tools, tactics, targeting patterns, and overlaps in infrastructure with previously known UNC6384 activities.
—
Stay informed on cybersecurity threats by following our updates.
https://www.techradar.com/pro/security/chinese-hackers-target-european-diplomats-with-windows-zero-day-flaw
Be First to Comment