Overview
- Arctic Wolf Labs publicly detailed a September–October campaign and attributed it with high confidence to UNC6384, also known as Mustang Panda.
- Targets included diplomatic entities in Belgium, Hungary, Italy, and the Netherlands, as well as Serbian government aviation departments.
- The operation used malicious .LNK files exploiting CVE-2025-9491 to launch a PowerShell-driven chain that extracted a tar archive and sideloaded a signed Canon utility to run an encrypted PlugX payload.
- Phishing lures mirrored EU and NATO-themed meetings, and the shortcut exploit hid command-line arguments with whitespace padding to evade user inspection.
- Microsoft has not released a fix for CVE-2025-9491, so researchers advise restricting .LNK usage and blocking identified command-and-control infrastructure, noting rapid adversary adoption and evolving delivery methods including HTA loaders sourced from CloudFront.