CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Chinese State-Sponsored Group Exploits Windows Zero-Day in Espionage Campaign Against European Diplomats

First reported
Last updated
3 unique sources, 7 articles

Summary

Hide ▲

A China-linked hacking group, UNC6384 (Mustang Panda), is exploiting a Windows zero-day vulnerability (CVE-2025-9491) to target European diplomats in Hungary, Belgium, Italy, the Netherlands, and Serbian government agencies. The campaign involves spearphishing emails with malicious LNK files to deploy the PlugX RAT and gain persistence on compromised systems. The attacks have broadened in scope to include diplomatic entities from Italy and the Netherlands. The zero-day vulnerability allows for remote code execution on targeted Windows systems, enabling the group to monitor diplomatic communications and steal sensitive data. Microsoft has not yet released a patch for this vulnerability, which has been heavily exploited by multiple state-sponsored groups and cybercrime gangs since March 2025. Microsoft has silently mitigated the vulnerability by changing LNK files in the November updates to display all characters in the Target field, not just the first 260. ACROS Security has also released an unofficial patch to limit shortcut target strings to 260 characters and warn users about potential dangers. Security researcher Wietze Beukema disclosed multiple vulnerabilities in Windows LNK shortcut files that allow attackers to deploy malicious payloads. Beukema documented four previously unknown techniques for manipulating Windows LNK shortcut files to hide malicious targets from users inspecting file properties. The most effective variants use forbidden Windows path characters, such as double quotes, to create seemingly valid but technically invalid paths, causing Explorer to display one target while executing another. The most powerful technique identified involves manipulating the EnvironmentVariableDataBlock structure within LNK files to display a fake target in the properties window while actually executing PowerShell or other malicious commands. Microsoft declined to classify the EnvironmentVariableDataBlock issue as a security vulnerability, arguing that exploitation requires user interaction and does not breach security boundaries. Microsoft Defender has detections in place to identify and block this threat activity, and Smart App Control provides an additional layer of protection by blocking malicious files from the Internet. Beukema released "lnk-it-up," an open-source tool suite that generates Windows LNK shortcuts using these techniques for testing and can identify potentially malicious LNK files by predicting what Explorer displays versus what actually executes. CVE-2025-9491 was widely exploited by at least 11 state-sponsored groups and cybercrime gangs. Mustang Panda has expanded operations with a new LOTUSLITE backdoor variant targeting India's banking sector and South Korean/U.S. policy circles. The variant uses CHM files embedding malicious payloads, dynamic DNS C2 servers, and DLL side-loading to deliver remote shell access, file operations, and session management capabilities for espionage purposes.

Timeline

  1. 12.02.2026 23:01 1 articles · 2mo ago

    New LNK Spoofing Techniques Disclosed by Security Researcher

    Security researcher Wietze Beukema disclosed multiple vulnerabilities in Windows LNK shortcut files that allow attackers to deploy malicious payloads. Beukema documented four previously unknown techniques for manipulating Windows LNK shortcut files to hide malicious targets from users inspecting file properties. The discovered issues exploit inconsistencies in how Windows Explorer prioritizes conflicting target paths specified across multiple optional data structures within shortcut files. The most effective variants use forbidden Windows path characters, such as double quotes, to create seemingly valid but technically invalid paths, causing Explorer to display one target while executing another. The most powerful technique identified involves manipulating the EnvironmentVariableDataBlock structure within LNK files to display a fake target in the properties window while actually executing PowerShell or other malicious commands. Microsoft declined to classify the EnvironmentVariableDataBlock issue as a security vulnerability, arguing that exploitation requires user interaction and does not breach security boundaries. Microsoft Defender has detections in place to identify and block this threat activity, and Smart App Control provides an additional layer of protection by blocking malicious files from the Internet. Beukema released "lnk-it-up," an open-source tool suite that generates Windows LNK shortcuts using these techniques for testing and can identify potentially malicious LNK files by predicting what Explorer displays versus what actually executes. CVE-2025-9491 was widely exploited by at least 11 state-sponsored groups and cybercrime gangs, including Evil Corp, Bitter, APT37, APT43 (also known as Kimsuky), Mustang Panda, SideWinder, RedHotel, Konni, and others.

    Show sources
    Open in new tab
  2. 31.10.2025 13:29 7 articles · 5mo ago

    UNC6384 (Mustang Panda) Exploits Windows Zero-Day in Espionage Campaign

    The attack chain involves spear-phishing emails with malicious LNK files exploiting CVE-2025-9491 to deliver PlugX RAT for persistence. The malware provides remote access capabilities, anti-analysis techniques, and Windows Registry persistence. The campaign targets European diplomats in Hungary, Belgium, Italy, the Netherlands, and Serbian government agencies, aligning with PRC strategic intelligence requirements. Microsoft silently mitigated CVE-2025-9491 by updating LNK files to display all Target field characters in November 2025. ACROS Security released an unofficial patch limiting shortcut target strings to 260 characters. CVE-2025-9491 was exploited by at least 11 state-sponsored groups and cybercrime gangs since March 2025, including Mustang Panda, Evil Corp, APT37, and others. Mustang Panda has expanded operations with a new LOTUSLITE backdoor variant targeting India's banking sector and South Korean/U.S. policy circles. The variant uses CHM files embedding malicious payloads and legitimate executables, dynamic DNS C2 servers (e.g., editor.gleeze[.]com), and DLL side-loading (dnx.onecore.dll) to deliver remote shell access, file operations, and session management capabilities for espionage purposes.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Iran-linked Dust Specter Targets Iraqi Officials with AI-Assisted Malware

An Iran-linked cyber threat actor, Dust Specter, has been targeting Iraqi government officials using AI-powered tools and previously undocumented malware. The campaign, detected in January 2026, involves impersonating the Iraqi Ministry of Foreign Affairs and compromising government infrastructure to host malicious payloads. The attack chains include the use of SplitDrop, TwinTask, TwinTalk, and GhostForm malware, with TwinTalk also linked to a previous campaign in July 2025. The campaign employs advanced techniques such as randomly generated URI paths for C2 communication, geofencing, and User-Agent verification. The use of compromised Iraqi government infrastructure and AI-assisted malware development highlights the sophistication of the attack.

Open in new tab

AI Assistants Abused as Command-and-Control Proxies

Researchers have demonstrated that AI assistants like Microsoft Copilot and xAI Grok can be exploited as command-and-control (C2) proxies. This technique leverages the AI's web-browsing capabilities to create a bidirectional communication channel for malware operations, enabling attackers to blend into legitimate enterprise communications and evade detection. The method, codenamed AI as a C2 proxy, allows attackers to generate reconnaissance workflows, script actions, and dynamically decide the next steps during an intrusion. The attack requires prior compromise of a machine and installation of malware, which then uses the AI assistant as a C2 channel through specially crafted prompts. This approach bypasses traditional defenses like API key revocation or account suspension. According to new findings from Check Point Research (CPR), platforms including Grok and Microsoft Copilot can be manipulated through their public web interfaces to fetch attacker-controlled URLs and return responses. The AI service acts as a proxy, relaying commands to infected machines and sending stolen data back out, without requiring an API key or even a registered account. The method relies on AI assistants that support URL fetching and content summarization, allowing attackers to tunnel encoded data through query parameters and receive embedded commands in the AI's reply. Malware can interact with the AI interface invisibly using a WebView2 browser component inside a C++ program. The research also outlined a broader trend: malware that integrates AI into its runtime decision-making, sending host information to a model and receiving guidance on actions to prioritize.

Open in new tab

China-Linked APTs Deploy PeckBirdy JScript C2 Framework Since 2023

China-aligned APT actors have been using the PeckBirdy JScript-based command-and-control (C2) framework since 2023 to target Chinese gambling industries, Asian government entities, and private organizations. The framework leverages living-off-the-land binaries (LOLBins) for execution across various environments. Two campaigns, SHADOW-VOID-044 and SHADOW-EARTH-045, have been identified, each employing different tactics, including credential harvesting and malware delivery. The framework's flexibility allows it to operate across web browsers, MSHTA, WScript, Classic ASP, Node JS, and .NET, using multiple communication methods like WebSocket and Adobe Flash ActiveX objects. Additional scripts for exploitation, social engineering, and backdoor delivery have been observed, along with links to known backdoors like HOLODONUT and MKDOOR. HOLODONUT disables security features such as AMSI before executing payloads in memory, while MKDOOR disguises its network traffic as legitimate Microsoft support or activation pages and attempts to evade Microsoft Defender by altering exclusion settings. Infrastructure overlaps and shared tooling suggest SHADOW-VOID-044 is linked with UNC3569, a China-aligned group previously associated with the GRAYRABBIT backdoor. Some samples used stolen code-signing certificates to legitimize malicious Cobalt Strike payloads, and SHADOW-EARTH-045 showed weaker but notable ties to activity previously attributed to Earth Baxia. The Shadow-Void-044 campaign used stolen code-signing certificates, Cobalt Strike payloads, and exploits, including CVE-2020-16040, to maintain persistent access. The Shadow-Earth-045 campaign targeted a Philippine educational institution in July 2024, using the GrayRabbit backdoor and the HoloDonut backdoor. The threat actor behind the Shadow-Earth campaign developed a .NET executable to launch PeckBirdy with ScriptControl.

Open in new tab

Multi-Stage AitM Phishing and BEC Campaigns Target Energy Sector

Microsoft has identified a multi-stage adversary-in-the-middle (AitM) phishing and business email compromise (BEC) campaign targeting organizations in the energy sector. The attackers abused SharePoint file-sharing services to deliver phishing payloads and created inbox rules to maintain persistence and evade detection. The campaign involved leveraging compromised internal identities to conduct large-scale phishing attacks within and outside the victim organizations. Additionally, the AgreeTo Outlook add-in was hijacked and turned into a phishing kit, stealing over 4,000 Microsoft account credentials. The threat actor deployed a fake Microsoft sign-in page, password collection page, exfiltration script, and redirect, exploiting the add-in's ReadWriteItem permissions. This is the first known instance of malware found on the official Microsoft Marketplace. The add-in was abandoned by its developer and the attacker exploited the abandoned domain to serve the phishing kit. The incident highlights the need for better monitoring of add-ins and their associated URLs.

Open in new tab

PluggyApe Backdoor Targets Ukraine's Defense Forces in Charity-Themed Campaign

Ukraine's Defense Forces were targeted in a charity-themed malware campaign between October and December 2025, delivering the PluggyApe backdoor, likely deployed by the Russian threat group Void Blizzard (Laundry Bear). The attacks began with instant messages over Signal or WhatsApp, directing recipients to malicious websites posing as charitable foundations. These sites distributed password-protected archives containing PluggyApe payloads. The malware profiles the host, sends victim information to attackers, and waits for further commands. In February 2026, a new campaign targeting Ukrainian entities was observed, employing judicial and charity-themed lures to deploy a JavaScript-based backdoor codenamed DRILLAPP. This campaign is likely orchestrated by threat actors linked to Russia and shares overlaps with the prior PluggyApe campaign. The malware is capable of uploading and downloading files, leveraging the microphone, and capturing images through the webcam. The threat actor is believed to be active since at least April 2024.

Open in new tab