UNC6384 Group Exploits Windows Vulnerability and Canon Software to Deploy Advanced PlugX Malware Across Europe.
A sophisticated cyber espionage campaign linked to Chinese state-backed hackers has infiltrated multiple European diplomatic networks, according to new research by Arctic Wolf Labs. The campaign, attributed to the China-aligned hacking group UNC6384, used a Windows vulnerability and signed Canon software to deploy an upgraded version of PlugX malware, marking one of the most complex cyberattacks in Europe this year.
The operation targeted diplomatic entities and government agencies in Hungary, Belgium, Serbia, Italy, and the Netherlands, exploiting official-looking EU and NATO-themed phishing lures to breach secure systems.
How the China-Linked UNC6384 Cyberattack Worked
According to Arctic Wolf Labs, UNC6384 is part of a larger network of Chinese state-aligned cyber espionage groups that previously targeted diplomats in Southeast Asia. The group has now expanded its focus to Europe, employing advanced social engineering, legitimate code-signing, and memory-resident malware to evade detection.
The attackers used a distributed command-and-control (C2) infrastructure hosted on legitimate-looking encrypted domains, allowing them to communicate securely and avoid cybersecurity monitoring systems. Researchers describe UNC6384’s tactics as “stealthy, legitimate, and geopolitically precise”, demonstrating an evolution in China’s cyber intelligence capabilities.
Exploiting a Windows Vulnerability for Espionage
The group exploited ZDI-CAN-25373, a Windows shortcut (LNK) vulnerability disclosed in March 2025, to execute remote malicious commands. Within just six months of the flaw’s discovery, UNC6384 weaponized it for targeted espionage attacks.
Victims received phishing emails disguised as official EU or NATO meeting invitations. Once opened, the malicious shortcut activated an obfuscated PowerShell script, which downloaded a compressed file masked as Canon software.
This file contained:
- A legitimate Canon executable (cnmpaui.exe)
- A malicious DLL loader (cnmpaui.dll)
- An encrypted PlugX payload (cnmplog.dat)
The attackers leveraged DLL side-loading, a legitimate process, to stealthily inject PlugX into system memory — bypassing antivirus defenses. The legitimate Canon executable, signed by Symantec between 2015–2018, decrypted the hidden payload with a built-in key, allowing the malware to execute undetected.
Smaller Malware, Bigger Impact
Further research by StrikeReady and Arctic Wolf Labs revealed that the group’s CanonStager loader has undergone major evolution — shrinking from 700KB to just 4KB between September and October 2025.
This size reduction drastically minimizes its digital footprint, allowing faster infiltration and evasion from forensic analysis. The group used domains like racineupci[.]org and dorareco[.]net, along with Amazon CloudFront and HTA-based delivery, making detection nearly impossible even for advanced cybersecurity defense centers.
