UNC6384 Weaponizes ZDI-CAN-25373 Vulnerability to Deploy PlugX Against Hungarian and Belgian Diplomatic Entities

SUMMARY :

Chinese-affiliated threat actor UNC6384 is conducting a cyber espionage campaign targeting European diplomatic entities, particularly in Hungary and Belgium. The group exploits the ZDI-CAN-25373 Windows vulnerability to deliver PlugX malware through spearphishing emails with malicious LNK files. The campaign uses diplomatic conference themes as lures and employs DLL side-loading of legitimate Canon printer utilities. UNC6384 has expanded its operations from Southeast Asia to Europe, demonstrating rapid adoption of new vulnerabilities and refined social engineering techniques. The malware provides persistent remote access for intelligence collection on European foreign policy, defense cooperation, and economic matters. This campaign highlights the evolving capabilities of Chinese cyber espionage efforts and their strategic focus on diplomatic targets.

OPENCTI LABELS :

dll side-loading,spearphishing,plugx,canonstager,diplomatic targeting,zdi-can-25373


AI COMMENTARY :

1. The recent cyber espionage campaign attributed to the Chinese-affiliated threat actor UNC6384 has taken a bold turn by weaponizing the ZDI-CAN-25373 Windows vulnerability to deliver the notorious PlugX malware. This operation has zeroed in on Hungarian and Belgian diplomatic entities, leveraging carefully crafted spearphishing emails that contain malicious LNK files. By masquerading as invitations to diplomatic conferences, UNC6384 has refined its social engineering to blend seamlessly with legitimate correspondence between government offices and international partners.

2. At the heart of this campaign lies the exploitation of the ZDI-CAN-25373 flaw, which UNC6384 triggers via attachments that appear safe but silently execute code when opened. The adversary employs canonstager, a loader that uses DLL side-loading of legitimate Canon printer utilities to evade detection. Once the initial foothold is established, the payload chain unpacks PlugX, granting the attacker remote control without raising alarms in typical endpoint defenses.

3. PlugX has long been a favored tool for persistent remote access, and in this operation it lives up to its reputation. After deployment, the malware establishes contact with command-and-control servers to receive further instructions and exfiltrate sensitive information. Its modular design allows UNC6384 to harvest intelligence on European foreign policy debates, defense cooperation initiatives and economic negotiations, providing a steady stream of strategic data to its handlers.

4. The selection of Hungarian and Belgian diplomatic missions underscores the actor’s focus on diplomatic targeting and the high value of insights into European Union policymaking. UNC6384’s lures mimic real-world conference agendas, complete with logos and speaker lists, to lower suspicions and trick recipients into activating the payload. This level of precision demonstrates the actor’s deep understanding of diplomatic workflows and its commitment to harvesting actionable intelligence from carefully chosen targets.

5. UNC6384’s expansion from Southeast Asia into Europe marks a significant evolution in its operational reach. The rapid adoption of new vulnerabilities like ZDI-CAN-25373 and the refinement of spearphishing tactics reflect an agile threat actor that continuously updates its playbook. By combining canonstager’s DLL side-loading technique with well-crafted contextual lures, the group has raised the bar for advanced persistent threat campaigns in the diplomatic sphere.

6. This campaign highlights the growing sophistication of Chinese cyber espionage efforts and the critical need for robust threat intelligence. Diplomatic entities must prioritize timely patching of known vulnerabilities, implement stringent email filtering to catch spearphishing attempts and conduct regular threat hunting to detect unusual DLL side-loading behavior. Understanding the methods of UNC6384 and PlugX is essential for strengthening defenses and safeguarding sensitive diplomatic communications against future incursions.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


UNC6384 Weaponizes ZDI-CAN-25373 Vulnerability to Deploy PlugX Against Hungarian and Belgian Diplomatic Entities