UNC6384 Targets European Diplomats Via Windows Exploit TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsCyber RiskZombie Projects Rise Again to Undermine SecurityZombie Projects Rise Again to Undermine SecuritybyRobert Lemos, Contributing WriterOct 30, 20257 Min ReadVulnerabilities & ThreatsLotL Attack Hides Malware in Windows Native AI StackLotL Attack Hides Malware in Windows Native AI StackbyNate Nelson, Contributing WriterOct 30, 20255 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificRecent in World See AllThreat IntelligenceSilver Fox APT Blurs the Line Between Espionage & CybercrimeSilver Fox APT Blurs the Line Between Espionage & CybercrimebyNate Nelson, Contributing WriterAug 8, 20253 Min ReadThreat IntelligenceIran-Israel War Triggers a Maelstrom in CyberspaceIran-Israel War Triggers a Maelstrom in CyberspacebyNate Nelson, Contributing WriterJun 19, 20255 Min ReadThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsLibraryNewslettersPodcastsReportsVideosWebinarsWhite papers Partner PerspectivesSEE ALLCyberattacks & Data BreachesCyber RiskThreat IntelligenceVulnerabilities & ThreatsNewsUNC6384 Targets European Diplomatic Entities With Windows ExploitUNC6384 Targets European Diplomatic Entities With Windows ExploitUNC6384 Targets European Diplomatic Entities With Windows ExploitThe spear-phishing campaign uses fake European Commission and NATO-themed lures to trick diplomatic personnel into clicking malicious links.Kristina Beek, Associate Editor, Dark ReadingOctober 31, 20252 Min ReadSource: Antonio Gil via Alamy Stock PhotoUNC6384, a China-linked threat actor, has been targeting European diplomatic entities in Hungary and Belgium in a cyber-espionage campaign since September.The group incorporated the exploitation of CVE-2025-9491, a high-severity Windows vulnerability, in its attacks, alongside what Arctic Wolf researchers are referring to as "refined social engineering."The researchers note that the group's willingness to use vulnerabilities that are publicly known and have been actively exploited by multiple nation-state actors indicates that the group is confident in its success even with increased defender awareness.The attack chain first starts with spear-phishing emails containing a URL that ultimately delivers malicious LNK files. These files are meant to imitate European Commission meetings, as well as NATO-related workshops and diplomatic events, with authentic details designed to lure targeted individuals.  The files exploit the Windows vulnerability before executing obfuscated PowerShell commands that deploy a malware chain. This ultimately results in the deployment of PlugX remote access Trojan (RAT).The campaign, according to Arctic Wolf researchers, is expanding across the broader diplomatic community within Europe, such as Italy and the Netherlands, as well as government agencies in Serbia. UNC6384's previous activity involved targeting diplomats in Southeast Asia.Related:Ribbon Communications Breach Marks Latest Telecom AttackThe group specializes in the deployment of PlugX malware variants, which the researchers consider a favorite tool among Chinese threat actors. PlugX, which was first observed in 2008, allows for a variety of a remote access capabilities, including command execution, persistence establishment, keylogging, and more. The malware is also known as Destroy RAT, SOGU, Kaba, Korplug, and TIGERPLUG and is capable of implementing anti-analysis techniques and anti-debugging checks to evade detection.At the start of this year, the US Justice Department and the FBI concluded its efforts in deleting the PlugX malware off of thousands of devices globally. The operation targeted the work of threat groups such as Mustang Panda and Twill Typhoon, which used the malware to infect users' devices and steal information. Now, as UNC6384 continues to rapidly adopt vulnerability exploits and other techniques, as well as expand globally, users and organizations will need to implement mitigation measures. To mitigate such attacks, the researchers recommend organizations, especially those in government and diplomatic sectors, review and block the command-and-control (C2) infrastructures listed in the report, conduct searches across endpoint environments, and continue security awareness training.Related:Dentsu Subsidiary Breached, Employee Data StolenShould these threat actors become successful in their attacks, this could lead to long term implications such as "exfiltration of classified or sensitive documents, monitoring of real-time policy discussions and decision-making processes, collection of credentials for accessing diplomatic networks and partner systems, and surveillance of diplomatic calendars and travel plans" the researchers wrote in the report.About the AuthorKristina BeekAssociate Editor, Dark ReadingSkilled writer and editor covering cybersecurity for Dark Reading.See more from Kristina BeekMore InsightsIndustry ReportsIDC MarketScape: Worldwide Exposure Management 2025 Vendor AssessmentThe Forrester Wave™: Unified Vulnerability Management Solutions, Q3 2025The Total Economic Impact™ Of Palo Alto Networks NextGeneration FirewallsMiercom Test Results: PA-5450 Firewall WinsSecurity Without Compromise Better security, higher performance and lower TCOAccess More ResearchWebinarsHow AI & Autonomous Patching Eliminate Exposure RisksThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesMore WebinarsYou May Also LikeEditor's ChoiceCybersecurity OperationsElectronic Warfare Puts Commercial GPS Users on NoticeElectronic Warfare Puts Commercial GPS Users on NoticebyRobert Lemos, Contributing WriterOct 21, 20254 Min ReadKeep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeNov 13, 2025During this event, we'll examine the most prolific threat actors in cybercrime and cyber espionage, and how they target and infiltrate their victims.Secure Your SeatWebinarsHow AI & Autonomous Patching Eliminate Exposure RisksOn-DemandThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterTues, Nov 18, 2025 at 1pm ESTSecuring the Hybrid Workforce: Challenges and SolutionsTues, Nov 4, 2025 at 1pm ESTCybersecurity Outlook 2026Virtual Event | December 3rd, 2025 | 11:00am - 5:20pm ET | Doors Open at 10:30am ETThreat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesTuesday, Oct 21, 2025 at 1pm ESTMore WebinarsWhite PapersHow to Chart a Path to Exposure Management MaturitySecurity Leaders' Guide to Exposure Management StrategyThe NHI Buyers GuideThe AI Security GuideTop 10 Identity-Centric Security Risks of Autonomous AI AgentsExplore More White PapersDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2025 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of Use

UNC6384, a China-linked threat actor, has been actively targeting European diplomatic entities since September 2025, expanding its reach to include Italy and the Netherlands, in addition to Hungary and Belgium. The group, spearheaded by UNC6384, leverages the exploitation of publicly known vulnerabilities, specifically CVE-2025-9491, alongside refined social engineering tactics. This approach, characterized by Arctic Wolf researchers as confident and increasingly sophisticated, demonstrates a determined strategy despite growing defender awareness. The campaign initiates with spear-phishing emails mimicking European Commission and NATO-related events, designed to lure victims with authentic details. These emails deliver malicious LNK files that exploit the Windows vulnerability before deploying a malware chain culminating in the installation of the PlugX remote access Trojan (RAT). PlugX, a malware variant previously associated with threat actors like Mustang Panda and Twill Typhoon, has existed since 2008 and provides capabilities including command execution, persistence establishment, keylogging, and anti-analysis techniques. The group's ongoing rapid adoption of vulnerability exploitation and global expansion highlight the need for enhanced mitigation strategies. Specifically, organizations, particularly within government and diplomatic sectors, are advised to block identified Command-and-Control (C2) infrastructures, conduct thorough endpoint scans, and maintain robust security awareness training programs. Successful attacks by UNC6384 could lead to significant consequences, including the exfiltration of classified documents, monitoring of policy discussions, credential theft, and surveillance of diplomatic activities.