China-linked threat actor UNC6384 (Mustang Panda) has mounted a coordinated cyber-espionage campaign against European diplomatic and government organizations by exploiting an unpatched Windows shortcut flaw, CVE-2025-9491. Research from Arctic Wolf and StrikeReady indicates the group is using the LNK parsing weakness to stealthily deliver the PlugX remote access trojan and gain persistent control of targeted systems.
Targeting and delivery: spear-phishing LNKs aimed at European diplomacy
The activity has been observed across Hungary, Belgium, Italy, the Netherlands, and Serbia between September and October 2025. Initial access relies on targeted phishing emails that embed URLs to malicious .lnk files. Lures reference NATO-themed procurement workshops, European Commission border-control meetings, and other multilateral diplomatic events, increasing click-through rates and evading basic email gateway heuristics.
Technical analysis: CVE-2025-9491 and the intrusion chain
CVE-2025-9491 (CVSS 7.0) is a Windows shortcut processing vulnerability that allows adversaries to conceal malicious command-line parameters within an LNK’s metadata using whitespace manipulation. When a user opens the shortcut, the operating system executes attacker-defined commands with minimal visual cues, enabling quiet initial code execution.
In the documented cases, opening the LNK launches PowerShell to decode and extract a TAR archive while simultaneously displaying a benign-looking PDF decoy. The archive bundles a legitimate Canon Printer Assistant executable, a malicious loader DLL dubbed CanonStager, and an encrypted PlugX payload (cnmplog.dat). The attackers leverage DLL side-loading so that the trusted Canon binary loads the attacker’s DLL, which then decrypts and launches PlugX.
PlugX capabilities and resilience
PlugX—also tracked as Destroy RAT, Kaba, Korplug, SOGU, and TIGERPLUG—grants full remote access for command execution, keystroke logging, file exfiltration and staging, and persistence via registry modifications. Its modular design supports plugin-based feature expansion, and the malware includes anti-analysis and anti-debug routines to frustrate static and dynamic inspection.
Evolving TTPs: leaner loaders and HTA-based delivery
Researchers note rapid tool refinements. The CanonStager component has been reduced from roughly 700 KB to about 4 KB, signaling deliberate footprint minimization and an effort to reduce detections. Since early September, the actor has also adopted HTML Application (HTA) files that retrieve JavaScript from a subdomain on cloudfront[.]net, adding flexibility and redundancy to its delivery paths.
Why risk remains high: widespread abuse and no vendor patch
Evidence suggests the LNK flaw has been exploitable since at least 2017. In March 2025, Trend Micro reported broad, in-the-wild abuse by both state-aligned and criminal groups, including Evil Corp, APT43/Kimsuky, Bitter, APT37, Mustang Panda, SideWinder, RedHotel, and Konni. Despite visibility and ongoing exploitation, no official Microsoft patch is available at the time of writing; Microsoft has pointed to detection in Microsoft Defender and protections via Smart App Control, which do not fully mitigate the underlying parsing issue.
Mitigation and detection: practical steps for defenders
Organizations can reduce exposure by limiting or blocking LNK execution where feasible using WDAC or AppLocker, and by disabling HTA through mshta.exe blocking and Attack Surface Reduction rules. Strengthen email defenses with rigorous URL inspection, attachment sandboxing, and enforced DMARC, DKIM, and SPF.
Enhance detection by monitoring for PowerShell spawned from shortcuts, unexpected TAR extraction, launch of Canon utilities from nonstandard directories, and signs of DLL side-loading. Enable comprehensive EDR telemetry, apply PowerShell Constrained Language Mode, restrict local administrator privileges, and enforce egress filtering against known command-and-control infrastructure.
The Mustang Panda activity underscores how “everyday” Windows features such as LNK files can be repurposed for stealthy espionage when a vendor patch is absent. A defense-in-depth posture—combining strict application control, robust script monitoring, network egress governance, and targeted threat hunting—materially lowers the likelihood that CVE-2025-9491 exploitation will result in a durable foothold via PlugX. Investing in user awareness against tailored diplomatic lures further reduces initial access success.
