CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Chinese State-Sponsored Group Exploits Windows Zero-Day in Espionage Campaign Against European Diplomats

First reported
Last updated
3 unique sources, 3 articles

Summary

Hide ▲

A China-linked hacking group, UNC6384 (Mustang Panda), is exploiting a Windows zero-day vulnerability (CVE-2025-9491) to target European diplomats in Hungary, Belgium, Italy, the Netherlands, and Serbian government agencies. The campaign involves spearphishing emails with malicious LNK files to deploy the PlugX RAT and gain persistence on compromised systems. The attacks have broadened in scope to include diplomatic entities from Italy and the Netherlands. The zero-day vulnerability allows for remote code execution on targeted Windows systems, enabling the group to monitor diplomatic communications and steal sensitive data. Microsoft has not yet released a patch for this vulnerability, which has been heavily exploited by multiple state-sponsored groups and cybercrime gangs since March 2025. The campaign began with spear phishing emails themed around diplomatic meetings and conferences. The malicious LNK files exploit ZDI-CAN-25373, a Windows shortcut vulnerability disclosed in March 2025. The LNK file invokes PowerShell with an obfuscated command that decodes a tar archive file named rjnlzlkfe.ta. The tar archive contains three critical files that enable the attack chain through DLL side-loading. The malware includes a legitimate Canon printer assistant utility with an expired digital signature. The second file, cnmpaui.dll, serves as a lightweight loader designed to decrypt and execute the PlugX payload. PlugX is a RAT that provides comprehensive remote access capabilities including command execution, keylogging, file upload and download operations, persistence establishment, and extensive system reconnaissance functions.

Timeline

  1. 31.10.2025 13:29 3 articles · 10d ago

    UNC6384 (Mustang Panda) Exploits Windows Zero-Day in Espionage Campaign

    The attack chain begins with spear-phishing emails containing an embedded URL that leads to the delivery of malicious LNK files. The malicious LNK files exploit ZDI-CAN-25373 to trigger a multi-stage attack chain. The PlugX malware is also referred to as Destroy RAT, Kaba, Korplug, SOGU, and TIGERPLUG. The threat actor has been observed delivering a memory-resident variant of PlugX called SOGU.SEC. The latest attack wave uses phishing emails with diplomatic lures to entice recipients into opening a bogus attachment. The LNK file is designed to launch a PowerShell command to decode and extract the contents of a TAR archive and simultaneously display a decoy PDF document to the user. The malware provides comprehensive remote access capabilities including command execution, keylogging, file upload and download operations, persistence establishment, and extensive system reconnaissance functions. PlugX implements various anti-analysis techniques and anti-debugging checks to resist efforts to unpack its internals and fly under the radar. PlugX achieves persistence by means of a Windows Registry modification. The CanonStager artifacts found in early September and October 2025 have witnessed a steady decline in size from approximately 700 KB to 4 KB, indicating active development and its evolution into a minimal tool capable of achieving its goals without leaving much of a forensic footprint. The campaign's focus on European diplomatic entities involved in defense cooperation, cross-border policy coordination, and multilateral diplomatic frameworks aligns with PRC strategic intelligence requirements concerning European alliance cohesion, defense initiatives, and policy coordination mechanisms.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

HttpTroy Backdoor Deployed in Targeted South Korean Cyberattack

The North Korea-linked threat actor Kimsuky distributed a new backdoor named HttpTroy in a targeted spear-phishing attack against a South Korean entity. The attack involved a ZIP file disguised as a VPN invoice, which contained a multi-stage malware chain. HttpTroy enables file transfers, screenshot capture, command execution, and other malicious activities. The malware uses advanced obfuscation techniques to evade detection. The attack was detected by Gen Digital, which did not specify the exact timeline of the incident. The initial vector is suspected to be a phishing email, as no known vulnerabilities were exploited. The malware communicates with a command-and-control server over HTTP POST requests. The attack chain includes a dropper, a loader (MemLoad), and the final backdoor (HttpTroy). The ZIP file contained a Microsoft Windows screensaver (.scr) file, which displayed a PDF invoice written in Korean and loaded the attack chain until the backdoor program was running. HttpTroy supports a wide range of remote actions and increases stealth by encrypting its communications, obfuscating payloads, and executing code in memory. The attack is part of a broader campaign by North Korean state-sponsored groups targeting governments in the Asia-Pacific region, especially South Korea, as well as targets in the United States and Europe. Kimsuky has previously used password-protected ZIP files and AI-generated deepfake photos in their attacks. The groups use legitimate services and Windows processes to dodge security tools and different encryption methods for each step in a multistage infection chain. They also use techniques such as memory-resident execution and dynamic API resolution to help the malicious code avoid detection.

Open in new tab

Velociraptor DFIR Tool Abused in LockBit and Babuk Ransomware Campaigns

Threat actors, assessed to be China-based Storm-2603, have started using the Velociraptor digital forensics and incident response (DFIR) tool in ransomware attacks deploying LockBit and Babuk ransomware. The attackers exploited a privilege escalation vulnerability in an outdated version of Velociraptor to gain persistent access and control over virtual machines. The campaign involved creating local admin accounts, disabling security features, and using fileless PowerShell encryptors for data exfiltration and encryption. The ransomware deployed on Windows systems was identified as LockBit, while a Linux binary detected as Babuk ransomware was found on VMware ESXi systems. Storm-2603 initially exploited SharePoint vulnerabilities in July 2025 and deployed Warlock, LockBit, and Babuk ransomware on VMware ESXi servers in August 2025. Sophos CTU researchers first documented Velociraptor abuse by Storm-2603 on August 5, 2025. Storm-2603 used the ToolShell exploit to gain initial access and deployed an outdated version of Velociraptor (version 0.73.4.0) that is susceptible to a privilege escalation vulnerability (CVE-2025-6264) to enable arbitrary command execution and endpoint takeover. The group also used Smbexec to remotely launch programs using the SMB protocol and modified Active Directory (AD) Group Policy Objects (GPOs) to disable real-time protection. Storm-2603 established the infrastructure for the AK47 C2 framework in March 2025 and created the first prototype of the tool the next month. The group pivoted from LockBit-only deployment to dual LockBit/Warlock deployment in April 2025 and used the ToolShell exploit as a zero-day in July 2025. Storm-2603 demonstrated operational flexibility and sophisticated builder expertise using leaked and open-source ransomware frameworks.

Open in new tab

China-aligned UTA0388 Targets Multiple Regions with GOVERSHELL Malware

A China-aligned threat actor, UTA0388, has conducted spear-phishing campaigns targeting North America, Asia, and Europe to deliver the GOVERSHELL backdoor. These campaigns use tailored lures and fictional identities in multiple languages. The malware, which has evolved through several variants, is designed to execute commands and gather system information. The actor has leveraged legitimate services like Netlify, Sync, and OneDrive to stage archive files and used OpenAI ChatGPT to generate phishing content and assist with malicious workflows. The campaigns have been highly tailored, with the threat actors building trust with recipients over time before sending malicious links. The targeting profile indicates a focus on Asian geopolitical issues, particularly Taiwan. Additionally, a separate campaign targeting European institutions has been observed, involving the use of PlugX malware. New insights reveal that UTA0388 has shifted from simple phishing links to 'rapport-building phishing,' engaging in extended conversations with targets before delivering malicious files. The GOVERSHELL malware has evolved to use encrypted WebSocket and HTTPS communication channels. The campaigns involved archive files containing a legitimate-looking executable and a hidden malicious dynamic link library (DLL). The use of cloud hosting services like Netlify and OneDrive to deliver payloads, along with domain names impersonating major firms such as Microsoft and Apple, has been observed. The rapid campaign tempo, with up to 26 phishing emails sent within three days, indicates a high level of activity.

Open in new tab

Brickstorm Malware Used in Long-Term Espionage Against U.S. Organizations

The UNC5221 activity cluster, attributed to suspected Chinese hackers, has been using the BRICKSTORM malware in long-term espionage operations against U.S. organizations in the technology, legal, SaaS, and BPO sectors. The malware, a Go-based backdoor, has been active for over a year, with an average dwell time of 393 days. It has been used to steal data from various sectors, including SaaS providers and BPOs. The attackers exploit vulnerabilities in edge devices and use anti-forensics techniques to avoid detection. The malware serves multiple functions, including web server, file manipulation, dropper, SOCKS relay, and shell command execution. It targets appliances without EDR support, such as VMware vCenter/ESXi, and uses legitimate traffic to mask its C2 communications. The attackers aim to exfiltrate emails and maintain stealth through various tactics, including removing the malware post-operation to hinder forensic investigations. The attackers use a malicious Java Servlet Filter (BRICKSTEAL) on vCenter to capture credentials, and clone Windows Server VMs to extract secrets. The stolen credentials are used for lateral movement and persistence, including enabling SSH on ESXi and modifying startup scripts. The malware exfiltrates emails via Microsoft Entra ID Enterprise Apps, utilizing its SOCKS proxy to tunnel into internal systems and code repositories. UNC5221 focuses on developers, administrators, and individuals tied to China's economic and security interests. Mandiant has released a free scanner script to help defenders detect BRICKSTORM. The BRICKSTORM backdoor is under active development, with a variant featuring a delay timer for C2 communication. The attackers have exploited Ivanti Connect Secure zero-day vulnerabilities (CVE-2023-46805 and CVE-2024-21887) for initial access. The attackers have used a custom dropper to install a malicious Java Servlet filter (BRICKSTEAL) in memory, avoiding detection. The attackers have modified init.d, rc.local, or systemd files to ensure persistence on appliances. The attackers have targeted Windows environments in Europe since at least November 2022. The attackers have been linked to other related Chinese threat actors besides UNC5221. The campaign has been monitored by Mandiant since March 2025. The attackers have targeted downstream customers of compromised SaaS providers. The attackers are believed to be analyzing stolen source code to identify zero-day vulnerabilities in enterprise technologies. The attackers use a delay timer to lie dormant on infected systems until a hard-coded date. The malware employs Garble, an open-source tool, for code obfuscation to hide function names, structures, and logic. Brickstorm has been found on VMware vCenter and ESXi hosts, often deployed prior to pivoting to these systems. The attackers use legitimate cloud services like Cloudflare Workers or Heroku for C2 communications. The attackers use dynamic domains like sslip.io or nip.io that point directly to the C2 server’s IP. The attackers favor appliance and management-plane compromise, per-victim obfuscated Go binaries, delayed-start implants, and Web/DoH C2 to preserve stealth. The attackers harvest and use valid high-privilege credentials to appear as routine administrator tasks. The attackers deploy in-memory servlet filters, remove installer artifacts, and embed delayed-start logic to limit forensic traces. The attackers abuse virtualization management capabilities, such as cloning VMs to extract credential stores offline. The attackers deploy an in-memory Java Servlet filter on vCenter to intercept and decode web authentication to harvest high-privilege credentials. The attackers use a SOCKS proxy on compromised appliances to tunnel into internal networks for interactive access and file retrieval. F5 disclosed that unidentified threat actors stole files containing BIG-IP's source code and information related to undisclosed vulnerabilities. The attackers used the BRICKSTORM malware, attributed to a China-nexus espionage group dubbed UNC5221. The attackers were in F5's network for at least 12 months before detection. GreyNoise observed elevated scanning activity targeting BIG-IP in three waves on September 23, October 14, and October 15, 2025. Censys identified over 680,000 F5 BIG-IP load balancers and application gateways visible on the public internet. The attackers used a delay timer to lie dormant on infected systems until a hard-coded date. The malware employs Garble, an open-source tool, for code obfuscation to hide function names, structures, and logic. Brickstorm has been found on VMware vCenter and ESXi hosts, often deployed prior to pivoting to these systems. The attackers use legitimate cloud services like Cloudflare Workers or Heroku for C2 communications. The attackers use dynamic domains like sslip.io or nip.io that point directly to the C2 server’s IP. The attackers favor appliance and management-plane compromise, per-victim obfuscated Go binaries, delayed-start implants, and Web/DoH C2 to preserve stealth. The attackers harvest and use valid high-privilege credentials to appear as routine administrator tasks. The attackers deploy in-memory servlet filters, remove installer artifacts, and embed delayed-start logic to limit forensic traces. The attackers abuse virtualization management capabilities, such as cloning VMs to extract credential stores offline. The attackers deploy an in-memory Java Servlet filter on vCenter to intercept and decode web authentication to harvest high-privilege credentials. The attackers use a SOCKS proxy on compromised appliances to tunnel into internal networks for interactive access and file retrieval.

Open in new tab

Chinese State-Sponsored Actors Target Global Critical Infrastructure

Chinese state-sponsored Advanced Persistent Threat (APT) actors continue to escalate their campaigns against global critical infrastructure and high-value targets, with the latest incident involving a breach of the **U.S. Congressional Budget Office (CBO)**. The CBO confirmed a cybersecurity incident linked to a suspected foreign hacker, raising concerns about the exposure of sensitive emails, draft reports, and internal communications. This follows a pattern of targeted attacks, including breaches at the U.S. Treasury Department and the Committee on Foreign Investment in the United States (CFIUS) in late 2024, both attributed to the Chinese APT group **Silk Typhoon**. Earlier phases of this campaign revealed sustained efforts by groups like **Salt Typhoon** and **RedNovember** to compromise telecommunications, government, defense, and aerospace networks across 80 countries. These actors exploit vulnerabilities in edge devices (e.g., Cisco, Ivanti, Palo Alto Networks, Citrix NetScaler Gateway) to gain persistent access, often modifying routers to capture TACACS+ traffic and pivot into other networks. Joint advisories from CISA, NSA, FBI, and international partners have highlighted the shift from espionage to long-term access for potential disruption, while the Czech Republic’s NUKIB issued a ‘High’ risk warning against Chinese technology in critical infrastructure. The latest CBO breach underscores the expanding scope of these operations, now directly targeting U.S. legislative support agencies.

Open in new tab