Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

UNC6384 European diplomatic espionage campaign

Campaign
First reported
Last updated
Happening score
H score 39
1 unique sources, 1 articles

Summary

Hide ▲

A UNC6384 cyber espionage campaign targeted European diplomatic entities in Hungary, Belgium, and other European nations, widening the group's intelligence-collection threat to diplomatic networks. The activity was observed in September and October 2025 and linked to a cluster likely associated with Mustang Panda/TEMP.Hex. The operation used spear phishing with diplomatic conference lures, malicious LNK files, and exploitation of ZDI-CAN-25373 in Windows. The delivery chain deployed PlugX RAT through DLL side-loading, giving operators remote access and reconnaissance capability.

Related Happenings

SHADOW-EARTH-053 China-aligned espionage campaign against Asian government and defense targets

Campaign
First: 01.05.2026 17:02 Last: 01.05.2026 17:02 Sources 1

About this happening: **SHADOW-EARTH-053** is running an active **China-aligned espionage campaign** against **government and defense** targets across **South, East, and Southeast Asia** and **Poland**...

Open Happening

TA416 European government espionage campaign

Campaign
First: 01.04.2026 15:05 Last: 01.04.2026 15:05 Sources 1

About this happening: TA416 has resumed **cyber espionage** activity, targeting **European governments** and **EU/NATO diplomatic missions** with a renewed malware-delivery operation that raises cross-...

Latest development: 03.04.2026 20:34

TA416 expanded its espionage campaign to Middle Eastern government and diplomatic entities after the outbreak of the U.S.-Israel-Iran conflict in late February 2026, while linking to archives hosted on Google Drive or a compromised SharePoint instance to refine its PlugX delivery chain and collect regional intelligence.

Open Happening

Mustang Panda, CL-STA-1048, and CL-STA-1049 Southeast Asia government campaign

Campaign
First: 30.03.2026 10:00 Last: 30.03.2026 10:00 Sources 1

About this happening: Three **China-aligned** clusters targeted a **government organization in Southeast Asia**, signaling a **coordinated campaign** built for long-term access. The activity spans **Mu...

Open Happening

Microsoft silently patches in Windows LNK files remote code execution flaw (CVE-2025-9491)

Vulnerability
First: 12.02.2026 23:01 Last: 12.02.2026 23:01 Sources 1

About this happening: **Windows LNK shortcut files** remain the focus of this vulnerability thread: **CVE-2025-9491** / **ZDI-CAN-25373** is being used in **September-October 2025** spear-phishing atta...

Open Happening

Mustang Panda PlugX DOPLUGS deployment chain for persistent access

Malware Activity
First: 04.02.2026 16:09 Last: 04.02.2026 16:09 Sources 1

About this happening: **Mustang Panda (TA416)** used **malicious ZIP/LNK chains** to deliver its custom **PlugX/DOPLUGS** payload and maintain **persistent access** on compromised hosts. The activity t...

Open Happening

Timeline

  1. 31.10.2025 14:10 2 articles · 6mo ago

    Initial report: UNC6384 European diplomatic espionage campaign

    Initial Disclosure

    The operation began with **spear phishing** emails themed around diplomatic meetings and conferences that delivered malicious **LNK** files. Opening the shortcuts triggered exploitation of **ZDI-CAN-25373** and started the multi-stage **PlugX** deployment chain.

    Show sources
    Open in new tab