UNC6384 (Mustang Panda) Leverages Unpatched Windows Vulnerability CVE-2025-9491 to Deploy PlugX RAT Against European Targets

Executive Summary

A sophisticated cyber-espionage campaign attributed to the China-linked threat actor UNC6384 (with ties to Mustang Panda) is actively exploiting an unpatched Windows vulnerability, CVE-2025-9491, to target European diplomatic missions. The attackers use spear-phishing emails containing malicious shortcut (LNK) files to gain initial access. The vulnerability, a UI misrepresentation flaw, allows for the hidden execution of PowerShell commands, ultimately leading to the deployment of the PlugX remote access trojan (RAT). Despite its use by multiple state-sponsored actors and public disclosure, Microsoft has declined to patch the vulnerability, recommending reliance on security software like Microsoft Defender and Smart App Control.

Threat Overview

The campaign, observed since September 2025, marks an expansion of UNC6384's targeting from Southeast Asia to Europe. Victims include diplomatic and government entities in Hungary, Belgium, Italy, the Netherlands, and Serbia. The initial attack vector is a spear-phishing email with a URL pointing to a malicious LNK file. These shortcuts are disguised with themes relevant to the targets, such as European Commission meetings or NATO workshops, to increase the likelihood of execution. When a user clicks the LNK file, it triggers the exploit for CVE-2025-9491, initiating a malware delivery chain that results in the installation of the PlugX RAT, giving attackers persistent remote access and control over the compromised system for espionage purposes.

Technical Analysis

The attack chain leverages several well-known but effective techniques, centered around the unpatched vulnerability.

1. Initial Access (T1566.002 - Spearphishing Link): Targets receive emails with links to download ZIP archives containing malicious LNK files.
2. Execution (T1204.002 - Malicious File): The user is tricked into executing the LNK file, believing it to be a legitimate document.
3. Defense Evasion (T1218.014 - System Binary Proxy Execution: Mspaint): The vulnerability CVE-2025-9491 is a UI misrepresentation flaw where an attacker can embed command-line arguments in a shortcut's 'Target' field, padded with a large amount of whitespace to hide them from the user interface. When executed, the shortcut runs these hidden arguments.
4. Execution (T1059.001 - PowerShell): The hidden arguments in the LNK file execute an obfuscated PowerShell script. This script is responsible for the subsequent stages of the malware deployment.
5. Defense Evasion (T1574.002 - DLL Side-Loading): The PowerShell script initiates a DLL side-loading attack. It uses a legitimate, signed Canon printer utility, cnmpaui.exe, to load a malicious DLL. This technique helps the malware evade detection by appearing as a legitimate process.
6. Payload Deployment: The malicious DLL is a loader for the final payload, the PlugX RAT. Once active, PlugX establishes a C2 channel, allowing the attackers to exfiltrate data, execute commands, and maintain persistence.

Impact Assessment

The primary impact of this campaign is cyber-espionage against high-value government and diplomatic targets. The successful deployment of PlugX could lead to the large-scale theft of sensitive political, economic, and military information, undermining diplomatic negotiations and national security. For the affected organizations, the breach represents a significant security failure, requiring costly incident response, forensic analysis, and remediation efforts. The fact that the vulnerability is unpatched and Microsoft has no immediate plans to fix it poses a persistent risk to all Windows users, as other threat actors can easily adopt this technique.

Cyber Observables for Detection

Security teams should hunt for the following activities, which are indicative of this campaign:

Detection & Response

• Endpoint Detection and Response (EDR): Deploy EDR rules to detect and alert on the execution of LNK files that spawn PowerShell or cmd.exe. Monitor for the specific DLL side-loading pattern involving cnmpaui.exe and other legitimate signed binaries.
• Threat Hunting: Proactively hunt for LNK files on user desktops and in download folders with unusually large file sizes or properties containing excessive whitespace. Use file content analysis (D3-FA) to inspect LNK file targets.
• Log Analysis: Analyze process creation logs (Windows Event ID 4688) for the sequence of explorer.exe -> powershell.exe. Correlate this with network logs to identify C2 communications from unexpected processes. User behavior analysis (D3-UBA) can help spot anomalous process chains.
• Incident Response: If a compromise is suspected, isolate the affected host. Capture memory and disk images for forensic analysis to identify the full scope of the intrusion and any data exfiltrated.

Mitigation

Since no patch is available for CVE-2025-9491, organizations must rely on compensating controls.

1. User Training (M1017 - User Training): Train users to be suspicious of unsolicited emails, especially those containing links or attachments, and to never run files downloaded from untrusted sources.
2. Application Control (M1038 - Execution Prevention): Use application control solutions like Microsoft's Smart App Control or AppLocker to restrict the execution of untrusted LNK files and PowerShell scripts. This can be configured via executable allowlisting (D3-EAL).
3. Attack Surface Reduction (ASR): Implement ASR rules to block or audit process creations originating from LNK files and other script-based attacks.
4. Endpoint Protection: Ensure endpoint security solutions are configured to monitor PowerShell activity and detect malicious scripting. Enable behavior-based detection (D3-PBA) to identify anomalous process execution chains like the one used in this attack.
5. Network Egress Filtering: Restrict outbound network connections to only known-good destinations to block C2 communications from malware like PlugX.