CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Chinese State-Sponsored Group Exploits Windows Zero-Day in Espionage Campaign Against European Diplomats

First reported
Last updated
3 unique sources, 5 articles

Summary

Hide ▲

A China-linked hacking group, UNC6384 (Mustang Panda), is exploiting a Windows zero-day vulnerability (CVE-2025-9491) to target European diplomats in Hungary, Belgium, Italy, the Netherlands, and Serbian government agencies. The campaign involves spearphishing emails with malicious LNK files to deploy the PlugX RAT and gain persistence on compromised systems. The attacks have broadened in scope to include diplomatic entities from Italy and the Netherlands. The zero-day vulnerability allows for remote code execution on targeted Windows systems, enabling the group to monitor diplomatic communications and steal sensitive data. Microsoft has not yet released a patch for this vulnerability, which has been heavily exploited by multiple state-sponsored groups and cybercrime gangs since March 2025. Microsoft has silently mitigated the vulnerability by changing LNK files in the November updates to display all characters in the Target field, not just the first 260. ACROS Security has also released an unofficial patch to limit shortcut target strings to 260 characters and warn users about potential dangers.

Timeline

  1. 31.10.2025 13:29 5 articles · 1mo ago

    UNC6384 (Mustang Panda) Exploits Windows Zero-Day in Espionage Campaign

    The attack chain begins with spear-phishing emails containing an embedded URL that leads to the delivery of malicious LNK files. The malicious LNK files exploit ZDI-CAN-25373 to trigger a multi-stage attack chain. The PlugX malware is also referred to as Destroy RAT, Kaba, Korplug, SOGU, and TIGERPLUG. The threat actor has been observed delivering a memory-resident variant of PlugX called SOGU.SEC. The latest attack wave uses phishing emails with diplomatic lures to entice recipients into opening a bogus attachment. The LNK file is designed to launch a PowerShell command to decode and extract the contents of a TAR archive and simultaneously display a decoy PDF document to the user. The malware provides comprehensive remote access capabilities including command execution, keylogging, file upload and download operations, persistence establishment, and extensive system reconnaissance functions. PlugX implements various anti-analysis techniques and anti-debugging checks to resist efforts to unpack its internals and fly under the radar. PlugX achieves persistence by means of a Windows Registry modification. The CanonStager artifacts found in early September and October 2025 have witnessed a steady decline in size from approximately 700 KB to 4 KB, indicating active development and its evolution into a minimal tool capable of achieving its goals without leaving much of a forensic footprint. The campaign's focus on European diplomatic entities involved in defense cooperation, cross-border policy coordination, and multilateral diplomatic frameworks aligns with PRC strategic intelligence requirements concerning European alliance cohesion, defense initiatives, and policy coordination mechanisms. Microsoft has silently mitigated the high-severity Windows LNK vulnerability (CVE-2025-9491) exploited by multiple state-backed and cybercrime hacking groups. The mitigation involves changing LNK files in the November updates to display all characters in the Target field, not just the first 260. ACROS Security has also released an unofficial patch to limit shortcut target strings to 260 characters and warn users about potential dangers.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Microsoft to Strengthen Entra ID Sign-Ins Against Script Injection Attacks

Microsoft plans to enhance the security of Entra ID authentication by implementing a strengthened Content Security Policy (CSP) starting in mid-to-late October 2026. This update will allow script downloads only from Microsoft-trusted content delivery network domains and inline script execution only from Microsoft-trusted sources during sign-ins. The policy aims to protect users against cross-site scripting (XSS) attacks, where attackers inject malicious code to steal credentials or compromise systems. The update will apply only to browser-based sign-in experiences at URLs beginning with login.microsoftonline.com, excluding Microsoft Entra External ID. Microsoft urges organizations to test sign-in scenarios before the deadline to identify and address dependencies on code-injection tools. IT administrators can review sign-in flows in the browser developer console to identify violations. Enterprise customers are advised to stop using browser extensions and tools that inject code or scripts into sign-in pages before the change takes effect. This move is part of Microsoft's Secure Future Initiative (SFI), launched in November 2023, following a report by the Cyber Safety Review Board of the U.S. Department of Homeland Security. The initiative also includes updates to Microsoft 365 security defaults to block access to SharePoint, OneDrive, and Office files via legacy authentication protocols, and the disabling of all ActiveX controls in Windows versions of Microsoft 365 and Office 2024 apps. Additionally, Microsoft has deployed over 50 new detections in its infrastructure to target high-priority tactics, techniques, and procedures. The adoption of phishing-resistant multi-factor authentication (MFA) for users and devices has hit 99.6%. Microsoft has enforced Mandatory MFA across all services, including for all Azure service users. The company has also introduced Automatic recovery capabilities via Quick Machine Recovery, expanded passkey and Windows Hello support, and improved memory safety in UEFI firmware and drivers by using Rust. Microsoft has migrated 95% of Microsoft Entra ID signing VMs to Azure Confidential Compute and moved 94.3% of Microsoft Entra ID security token validation to its standard identity Software Development Kit (SDK). The company has discontinued the use of Active Directory Federation Services (ADFS) in its productivity environment and decommissioned 560,000 additional unused and aged tenants and 83,000 unused Microsoft Entra ID apps across Microsoft production and productivity environments. Microsoft has advanced threat hunting by centrally tracking 98% of production infrastructure, achieved complete network device inventory and mature asset lifecycle management, and almost entirely locked code signing to production identities. The company has published 1,096 CVEs, including 53 no-action cloud CVEs, and paid out $17 million in bounties.

Open in new tab

APT24 Utilizes BadAudio Malware in Multi-Year Espionage Campaign

APT24, a China-linked threat group, has been using previously undocumented BadAudio malware in a nearly three-year espionage campaign targeting Windows systems. The campaign, active since November 2022, employed various attack methods including spearphishing, supply-chain compromise, and watering hole attacks. The malware is heavily obfuscated and uses sophisticated techniques to evade detection and hinder analysis. From November 2022 to at least September 2025, APT24 compromised over 20 legitimate websites to inject malicious JavaScript code, targeting specific visitors. Starting July 2024, the group compromised a Taiwanese digital marketing company, injecting malicious JavaScript into widely used libraries, affecting over 1,000 domains. Additionally, APT24 launched spearphishing operations using emails impersonating animal rescue organizations and leveraging cloud services for malware distribution. The BadAudio malware collects system details, communicates with a hard-coded C2 server, and executes payloads in memory using DLL sideloading. Despite its prolonged use, the malware remained largely undetected, with only a few samples flagged by antivirus engines. APT24 has been active since at least 2008, targeting various sectors including government, healthcare, construction, and telecommunications. The group is closely related to the Earth Aughisky group, which has also deployed Taidoor and Specas malware.

Open in new tab

Windows GDI Vulnerabilities Resurface

Three vulnerabilities in Windows Graphics Device Interface (GDI) were disclosed, enabling remote code execution and information disclosure. These flaws, identified as CVE-2025-30388, CVE-2025-53766, and CVE-2025-47984, were rooted in gdiplus.dll and gdi32full.dll. They were addressed by Microsoft in Patch Tuesday updates in May, July, and August 2025. The vulnerabilities involved out-of-bounds memory access triggered through malformed enhanced metafile (EMF) and EMF+ records, leading to memory corruption during image rendering. These issues highlight the persistent nature of security vulnerabilities, which can remain undetected for years and resurface due to incomplete fixes. The challenges in verifying the thoroughness and effectiveness of security patches are also emphasized.

Open in new tab

HttpTroy Backdoor Deployed in Targeted South Korean Cyberattack

The North Korea-linked threat actor Kimsuky distributed a new backdoor named HttpTroy in a targeted spear-phishing attack against a South Korean entity. The attack involved a ZIP file disguised as a VPN invoice, which contained a multi-stage malware chain. HttpTroy enables file transfers, screenshot capture, command execution, and other malicious activities. The malware uses advanced obfuscation techniques to evade detection. The attack was detected by Gen Digital, which did not specify the exact timeline of the incident. The initial vector is suspected to be a phishing email, as no known vulnerabilities were exploited. The malware communicates with a command-and-control server over HTTP POST requests. The attack chain includes a dropper, a loader (MemLoad), and the final backdoor (HttpTroy). The ZIP file contained a Microsoft Windows screensaver (.scr) file, which displayed a PDF invoice written in Korean and loaded the attack chain until the backdoor program was running. HttpTroy supports a wide range of remote actions and increases stealth by encrypting its communications, obfuscating payloads, and executing code in memory. The attack is part of a broader campaign by North Korean state-sponsored groups targeting governments in the Asia-Pacific region, especially South Korea, as well as targets in the United States and Europe. Kimsuky has previously used password-protected ZIP files and AI-generated deepfake photos in their attacks. The groups use legitimate services and Windows processes to dodge security tools and different encryption methods for each step in a multistage infection chain. They also use techniques such as memory-resident execution and dynamic API resolution to help the malicious code avoid detection.

Open in new tab

New CoPhish technique exploits Microsoft Copilot for OAuth phishing

A new phishing technique called 'CoPhish' leverages Microsoft Copilot Studio agents to deliver fraudulent OAuth consent requests. The technique exploits the legitimate and trusted Microsoft domains to trick users into granting permissions to malicious applications. The CoPhish technique was developed by researchers at Datadog Security Labs, who highlighted the risks associated with the flexibility of Copilot Studio. Microsoft has acknowledged the issue and plans to address it in a future update. The attack targets users, including administrators, by embedding malicious applications within Copilot Studio agents. Once activated, these agents can be distributed via email or messaging platforms, making it difficult for users to distinguish between legitimate and malicious requests. Users can protect against CoPhish attacks by limiting administrative privileges, reducing application permissions, enforcing governance policies, implementing a strong application consent policy, disabling user application creation defaults, and closely monitoring application consent via Entra ID and Copilot Studio agent creation events.

Open in new tab