Overview
- Arctic Wolf Labs ties the campaign to UNC6384 (also known as Mustang Panda), with StrikeReady corroborating recent targeting expansion across Europe.
- Spearphishing lures referencing NATO workshops and European Commission meetings delivered weaponized .LNK files that concealed malicious command-line arguments.
- The execution chain invoked PowerShell to unpack a tar archive, then used DLL sideloading of a legitimately signed but expired Canon utility to run an encrypted PlugX payload.
- Targets included diplomats in Belgium, Hungary, Italy, and the Netherlands, as well as Serbian government aviation departments during September and October 2025.
- The exploited vulnerability, tracked as CVE-2025-9491, was disclosed in March and remains unpatched, with researchers advising defenders to restrict .LNK usage and block identified command-and-control infrastructure.