Overview
- Arctic Wolf Labs attributes the September–October 2025 espionage to UNC6384, linked to Mustang Panda, with high confidence based on tooling, procedures, targeting, and infrastructure overlaps.
- Targets included diplomats in Belgium, Hungary, Italy, and the Netherlands, as well as Serbian government aviation departments, using lures tied to EU and NATO events.
- The operation abuses CVE-2025-9491 in .LNK files to hide command arguments that launch PowerShell, extract a TAR archive, and load an encrypted PlugX payload through the sideloaded Canon executable while showing decoy PDFs.
- Microsoft has not issued a security update since the flaw was disclosed in March 2025 and previously pointed to Defender and Smart App Control, prompting guidance to restrict .LNK usage and block known command‑and‑control infrastructure.
- Researchers observed rapid iteration including a shrinkage of the CanonStager loader from ~700 KB to ~4 KB and noted a geographic expansion from prior Southeast Asia focus to European diplomatic entities.