Imagine getting an email with the agenda for an important EU meeting. Strange for "normal" people, normal day-to-day business for MEPs, politicians or diplomats. Sounds harmless at first, doesn't it?
It is precisely this apparent normality that hackers exploit to invade the systems of diplomatic institutions. Arctic Wolf Labs has now revealed a rather sophisticated campaign, It shows how creative and dangerous modern cyber espionage has become.
Who's behind it?
The attacks go to the account of UNC6384, A Chinese hacker group that specializes in espionage. These people are not script kids – they are professionals who presumably work on behalf of the Chinese government. Your goal? European diplomats, especially in Hungary, Belgium, Serbia, Italy and the Netherlands.
What makes this group special: They have close links with another notorious group called ‘Mustang Panda’. Both share similar tools, approaches and goals – like a kind of dark family in the cyber underground.
How does the attack work? A look behind the scenes
Now it's getting technical – but don't worry, I explain it step by step so that you understand:
Step 1: The bait email
It all starts with a deceptively real email. The hackers put in a lot of effort: They use topics such as ‘Agenda for EU meetings in Brussels on 26 September’ or ‘NATO Armaments Procurement Workshop’. These are real events that have actually taken place! The emails contain a link or attachment that looks like a normal PDF.
Step 2: The Windows vulnerability
Here is the clever part: Hackers are using an Windows security vulnerability ZDI-CAN-25373, which was not made public until March 2025. This vulnerability affects LNK files (these are the small shortcut icons on your desktop).
The ingenious thing about it: You can hide invisible commands in these files by ‘filling up’ them with spaces. For you, the file looks like Agenda_Meeting 26 Sep Brussels.lnk – but if you click on it, a lot more happens in the background.
Step 3: The Printer Trick (DLL Side-Loading)
Now it's really refined. The LNK file downloads a real, legitimate program for the first time: One Canon printer software called cnmpaui.exe. This software is even digitally signed, so confirmed by Canon as trustworthy!
But here's the trick: Along with the real software comes a manipulated file called cnmpaui.dll. When Windows starts the Canon program, it looks for this DLL file (this is kind of a utility). Windows first finds the manipulated version in the same folder and loads it without grumbling.
Think of it like a bodyguard (the real Canon software) who unknowingly brings a burglar (the bad DLL) into the building because he's wearing the right uniform.
Step 4: The encrypted malware
The manipulated DLL has only one job: It opens a third file called cnmplog.dat. This file looks like garbage at first glance, but is encrypted with an RC4 key. The DLL decrypts them and tada! out comes the actual malware: PlugX.
What is PlugX and why is it so dangerous?
PlugX is like a digital spy who lives permanently in your system. This malware has been around since 2008 and it continues to evolve. PlugX can:
- Record every keystroke (keylogging)
- Upload and download files
- Execute commands remotely
- Self-integrating into the system so that it survives even after restarts
- Collect information about your system
The fissure: PlugX runs ‘in memory’ of the legitimate Canon software. Most virus scanners only look at executable files (.exe), but here the malware is hidden almost invisibly in a trusted program.
The camouflage: The perfect deception
While all this is happening in the background, the computer will show you a real PDF document, such as the actual agenda of the EU meeting. You think everything's normal while the hackers are just opening the back door.
The malware then settles comfortably:
- It copies into hidden folders such as ‘SamsungDriver’, ‘IntelNet’ or ‘DellSetupFiles’ (sounds harmless, right?)
- It is registered in the Windows registry under the name ‘CanonPrinter’, so that it loads automatically every time it starts up
- The folder name changes regularly to confuse security software
The command center
Once installed, PlugX contacts its bosses via encrypted HTTPS connections (looks like normal encrypted web traffic). The hackers use domains such as:
- racineupci[.]org
- dorareco[.]net
- naturadeco[.]net
These addresses are specially chosen so that they sound harmless. Communication runs via port 443 (default for encrypted websites), and they pose as a normal browser (Internet Explorer 9, if anyone is interested).
Development in real time
Particularly disturbing: Hackers are actively developing their tools. Between September and October 2025, they shrunk their ‘CanonStager’ (the part that loads the malware) from around 700 KB to just 4 KB!
This is like reducing a burglary tool case from the size of a travel bag to a case; Smaller, less noticeable, but just as effective.
Why diplomats?
The question is, of course: Why all this? Well, diplomats have access to highly sensitive information:
- Negotiating positions in the case of international agreements
- EU defence cooperation and NATO plans
- Economic policy decisions, which could affect China's interests
- Relations between EU countries, Where are the tensions, where is the unity?
If China knows what Europe is planning, it has an enormous advantage in negotiations, trade agreements or geopolitical moves.
The topics of the bait emails are not chosen by chance:
- Border handling between the EU and the Western Balkans – important for trade routes
- NATO Armament Procurement – European military capabilities
- European Political Community – How is Europe coordinated?
What makes this campaign special?
- Quick adjustment: The Windows vulnerability was released in March 2025 and was already used by UNC6384 in September. Only six months! This shows how quickly these groups can exploit new vulnerabilities.
- Perfect social engineering: The hackers use real events with correct data, locations and topics. They obviously have access to diplomatic calendars or do very thorough research.
- Multi-track strategy: In addition to this email campaign, UNC6384 also operates other methods of attack, such as hijacking Wi-Fi portals (known as ‘login pages’ in hotels or airports).
- Expansion to Europe: Previously, UNC6384 focused on Southeast Asia. Now they have targeted Europe, which shows either an expanded mission or additional teams.
What can be done about it?
For organisations:
- Blocks LNK files from suspicious sources. Since there is no official Microsoft patch for this vulnerability, you have to get creative.
- Blocks the known command servers in your firewalls
- Searches for Canon printer software in unusual places – this does not normally belong in the user temp directory!
- Train your employees Recognizing phishing emails
For normal users:
- Be Skeptical about email attachments, Even if they look professional
- Watch out File extensions: A ‘Agenda.pdf’ should not suddenly be called ‘Agenda.pdf.lnk’
- If in doubt, ask the sender – but not by replying to the suspicious email, but via another channel (telephone, separate chat)
- Keep your system up-to-date (even if there is no patch yet, updates help against many other attacks)
The bigger picture
This campaign is a prime example of state-level modern cyber espionage:
- patiently: The hackers take time to select their victims and create tailor-made baits
- Professional: Multi-layered attacks with encryption, camouflage mechanisms and anti-analysis tricks
- Targeted: No indiscriminate attacks, but precise selection of high-quality targets
- Persistent: Once inside, they go undetected and collect data for months or years
This is not a cybercrime in the classical sense (no ransomware, no stolen credit cards) this is Strategic espionage in the digital age. And it works frighteningly well.
conclusion
The UNC6384 campaign impressively demonstrates how sophisticated modern cyberattacks are. From psychological manipulation (social engineering) to technical sophistication (DLL hijacking, encryption) to operational security (changing folders, legitimate software as camouflage) -> this is where real professionals work.
For European diplomatic institutions, this is a wake-up call: Digital security is just as important as physical security. A compromised system can do as much damage as an infiltrated spy, only faster and harder to detect.
The good news? Through attention and proper security measures, many of these attacks can be prevented or at least detected at an early stage. The bad news? The attackers do not sleep and are becoming more and more creative.
Stay vigilant out there!
EN 
DE 
ES 
FR 
IT