{ "id": "bc7f722b-47a9-4ae8-a82c-1595f4bb80c6", "created_at": "2026-04-06T00:11:24.572804Z", "updated_at": "2026-04-10T03:36:33.736277Z", "deleted_at": null, "sha1_hash": "f81680b4e46f787f341af8fbefff08de0e27455d", "title": "UNC6384 Weaponizes ZDI-CAN-25373 Vulnerability to Deploy PlugX Against Hungarian and Belgian Diplomatic Entities - Arctic Wolf", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2633755, "plain_text": "UNC6384 Weaponizes ZDI-CAN-25373 Vulnerability to Deploy PlugX\r\nAgainst Hungarian and Belgian Diplomatic Entities - Arctic Wolf\r\nBy Arctic Wolf Labs\r\nPublished: 2025-10-30 · Archived: 2026-04-05 16:53:14 UTC\r\nThreat Actor Name: UNC6384\r\nTargeted Industries: Government, Diplomatic Services\r\nGeographic Focus: Hungary, Belgium, Serbia, Italy, Netherlands (broader European diplomatic community)\r\nExecutive Summary\r\nArctic Wolf Labs has identified an active cyber espionage campaign by Chinese-affiliated threat actor UNC6384 targeting\r\nEuropean diplomatic entities in Hungary, Belgium, and additional European nations during September and October 2025.\r\nThe campaign represents a tactical evolution incorporating the exploitation of ZDI-CAN-25373, a Windows shortcut\r\nvulnerability disclosed in March 2025, alongside refined social engineering leveraging authentic diplomatic conference\r\nthemes.\r\nThe attack chain begins with spearphishing emails containing an embedded URL that is the first of several stages that lead to\r\nthe delivery of malicious LNK files themed around European Commission meetings, NATO-related workshops, and\r\nmultilateral diplomatic coordination events. These files exploit the recently disclosed Windows vulnerability to execute\r\nobfuscated PowerShell commands that extract and deploy a multi-stage malware chain, culminating in PlugX remote access\r\ntrojan (RAT) deployment through DLL side-loading of legitimate signed Canon printer assistant utilities.\r\nThis campaign demonstrates UNC6384’s capability for rapid vulnerability adoption within six months of public disclosure,\r\nadvanced social engineering leveraging detailed knowledge of diplomatic calendars and event themes, and operational\r\nexpansion from traditional Southeast Asia targeting to European diplomatic entities. The threat actor maintains multiple\r\nparallel operational approaches, including the captive portal hijacking methodology documented by the Google Threat\r\nIntelligence Group alongside the direct spearphishing approach observed by Arctic Wolf Labs.\r\nArctic Wolf Labs assesses with high confidence that this campaign is attributable to UNC6384. This attribution is based on\r\nmultiple converging lines of evidence including malware tooling, tactical procedures, targeting alignment, and infrastructure\r\noverlaps with previously documented UNC6384 operations.\r\nKey Findings:\r\nUNC6384 rapidly adopted the ZDI-CAN-25373 Windows vulnerability within six months of its March 2025\r\ndisclosure.\r\nThis campaign targets Hungarian and Belgian diplomatic entities, with expansion across the broader European\r\ndiplomatic community.\r\nSocial engineering leverages diplomatic conference details including European Commission border facilitation\r\nmeetings and NATO defense procurement workshops.\r\nThe multi-stage attack chain employs DLL side-loading of legitimate signed Canon printer utilities.\r\nPlugX malware deployed via in-memory execution establishes a persistent remote-access capability within targeted\r\nenvironments, enabling covert intelligence collection.\r\nC2 infrastructure includes racineupci[.]org, dorareco[.]net, naturadeco[.]net, and additional domains.\r\nThe CanonStager loader evolved from approximately 700KB to 4KB in size between September and October 2025,\r\nindicating active development.\r\nIntroducing UNC6384\r\nUNC6384 is a Chinese-affiliated cyber espionage threat actor recently documented by Google’s Threat Intelligence Group.\r\nThe group has demonstrated a persistent focus on diplomatic entities, having previously targeted diplomats in the Southeast\r\nAsia region before expanding operations to European diplomatic targets. UNC6384 employs multi-faceted execution chains\r\nthat combine social engineering, traffic manipulation techniques, digitally signed downloaders, and memory-resident\r\nmalware deployment to achieve operational objectives.\r\nThe threat actor specializes in deploying variants of PlugX malware, which Google tracks as SOGU.SEC. PlugX has been\r\nactively used since at least 2008 and remains a favored tool among Chinese-nexus threat actors due to its modular\r\narchitecture, extensive remote access capabilities, and evolving evasion techniques.\r\nUNC6384 is believed to have associations with the well-established People’s Republic of China (PRC) threat actor Mustang\r\nPanda, also tracked as TEMP.Hex. Both groups share multiple operational characteristics including targeting profiles\r\nfocused on government sectors, overlapping command and control (C2) infrastructure, deployment of PlugX malware\r\nhttps://arcticwolf.com/resources/blog/unc6384-weaponizes-zdi-can-25373-vulnerability-to-deploy-plugx/\r\nPage 1 of 22\n\nvariants, and utilization of DLL side-loading techniques for payload execution. Google’s attribution assessment is based on\r\nsimilarities in tooling, tactics, procedures, practices, targeting alignment with PRC’s strategic interests, and infrastructure\r\noverlaps between the two groups.\r\nCampaign Overview and Attack Methodology\r\nArctic Wolf Labs identified a new campaign by UNC6384 specifically targeting Hungarian and Belgian diplomatic entities\r\nduring September and October 2025. This campaign represents a tactical evolution from the group’s previously documented\r\noperations, introducing exploitation of a recently disclosed Windows vulnerability alongside refined social engineering\r\napproaches.\r\nThe attack begins with targeted spearphishing emails that kick off several stages that lead to the delivery of malicious LNK\r\nfiles, themed around diplomatic meetings and conferences. These files leverage ZDI-CAN-25373, a Windows shortcut\r\nvulnerability disclosed in March 2025, that enables covert command execution through whitespace padding within the LNK\r\nfile’s COMMAND_LINE_ARGUMENTS structure.\r\nResearch from Trend Micro identified this vulnerability being exploited as a zero-day by multiple advanced persistent threat\r\n(APT) groups from North Korea, China, Russia, and Iran, for the purposes of espionage and data theft. UNC6384’s adoption\r\nof this technique demonstrates the group’s capability to rapidly integrate newly disclosed vulnerabilities into operational\r\ntradecraft.\r\nThe malicious LNK files use diplomatic conference themes as lures, including Agenda_Meeting 26 Sep Brussels.lnk, which\r\nreferences a European Commission meeting on facilitating the free movement of goods at EU-Western Balkans border\r\ncrossing points. Upon execution, the LNK file invokes PowerShell to decode and extract a tar (tape archive) archive file,\r\nwhich is then decompressed to deploy multiple components, including a legitimate signed Canon printer assistant utility, a\r\nmalicious DLL, and an encrypted payload file.\r\nThis campaign differs from UNC6384’s operations previously documented by Google Threat Intelligence Group, which\r\nemployed adversary-in-the-middle attacks through captive portal hijacking to deliver malware disguised as Adobe plugin\r\nupdates. Our findings indicate that UNC6384 maintains multiple parallel operational approaches adapted to specific target\r\nenvironments and access opportunities.\r\nTechnical Analysis\r\nStage 1: Initial Access via Malicious LNK File\r\nThe attack chain initiates with a weaponized LNK file, delivered to targets through spearphishing operations. The LNK file\r\nexploits ZDI-CAN-25373, a Windows shortcut vulnerability that allows the threat actor to execute commands covertly by\r\nadding whitespace padding within the COMMAND_LINE_ARGUMENTS structure.\r\nField Value\r\nName Agenda_Meeting 26 Sep Brussels.lnk\r\nSHA-256 911cccd238fbfdb4babafc8d2582e80dcfa76469fa1ee27bbc5f4324d5fca539\r\nFile Type .lnk file\r\nSize 2.58KB\r\nUpon execution, the LNK file invokes PowerShell with an obfuscated command that decodes a tar archive file named\r\nrjnlzlkfe.ta, which it saves it to the AppData\\Local\\Temp directory. The PowerShell command then extracts the tar archive\r\nusing tar.exe -xvf and initiates execution of the contained cnmpaui.exe file. Simultaneously, a PDF decoy document is\r\ndisplayed, showing the authentic agenda for a European Commission meeting that was scheduled for September 26, 2025, in\r\nBrussels. This maintains the illusion of legitimate document access while malicious actions occur in the background.\r\nhttps://arcticwolf.com/resources/blog/unc6384-weaponizes-zdi-can-25373-vulnerability-to-deploy-plugx/\r\nPage 2 of 22\n\nFigure 1: Decoy PDF document displaying European Commission meeting agenda on facilitating the free movement of\r\ngoods at EU-Western Balkans border crossing points.\r\nStage 2: DLL Side-Loading via Legitimate Signed Binary\r\nThe extracted tar archive contains three critical files that enable the attack chain through DLL side-loading, a technique that\r\nabuses the Windows DLL search order to load malicious code through legitimate applications. \r\nFigure 2: Contents of extracted tar archive showing three files: cnmpaui.dll (4KB), cnmpaui.exe (352KB), and cnmplog.dat\r\n(818KB).\r\nThe primary executable is a legitimate Canon printer assistant utility that possesses a valid digital signature from Canon Inc.,\r\nsigned with a certificate issued by Symantec Class 3 SHA256 Code Signing CA. Although the certificate expired on April\r\n19, 2018, Windows continues to trust binaries whose signatures include a valid timestamp proving they were signed while\r\nthe certificate was valid.\r\nField Value\r\nName cnmpaui.exe\r\nSHA-256 4ed76fa68ef9e1a7705a849d47b3d9dcdf969e332bd5bcb68138579c288a16d3\r\nhttps://arcticwolf.com/resources/blog/unc6384-weaponizes-zdi-can-25373-vulnerability-to-deploy-plugx/\r\nPage 3 of 22\n\nFile Type PE32 executable\r\nSize 352.67KB\r\nCertificate Issuer Symantec Class 3 SHA256 Code Signing CA\r\nCertificate Valid From July 9, 2015\r\nCertificate Valid Until April 19, 2018 (expired)\r\nFigure 3: Digital certificate information showing a valid Canon Inc. signature issued by Symantec, with a validity period\r\nfrom 2015 to 2018.\r\nThis legitimate binary is susceptible to DLL side-loading attacks. When cnmpaui.exe executes, it searches for cnmpaui.dll in\r\nits current directory before checking system directories. The threat actor exploits this behavior by planting a malicious\r\ncnmpaui.dll in the same directory.\r\nField Value\r\nName cnmpaui.dll\r\nSHA-256 e53bc08e60af1a1672a18b242f714486ead62164dda66f32c64ddc11ffe3f0df\r\nFile Type PE32 DLL\r\nSize 4.00KB\r\nThe malicious DLL functions as a lightweight loader designed to decrypt and execute the third file in the archive,\r\ncnmplog.dat, which contains the encrypted PlugX payload.\r\nStage 3: Encrypted Payload Decryption and In-Memory Execution\r\nhttps://arcticwolf.com/resources/blog/unc6384-weaponizes-zdi-can-25373-vulnerability-to-deploy-plugx/\r\nPage 4 of 22\n\nThe cnmplog.dat file is an RC4-encrypted blob containing the PlugX malware. The malicious DLL decrypts this file using a\r\nhardcoded 16-byte RC4 key and loads the resulting PlugX payload directly into the address space of the legitimate\r\ncnmpaui.exe process, enabling the malware to execute within a trusted process context and evade detection mechanisms that\r\nrely on process reputation or executable file analysis.\r\nField Value\r\nName cnmplog.dat\r\nSHA-256 c9128d72de407eede1dd741772b5edfd437e006a161eecfffdf27b2483b33fc7\r\nFile Type Encrypted blob\r\nSize 817.09KB\r\nEncryption RC4 with 16-byte hardcoded key\r\nRC4 Key eQkiwoiuDsvIPsmd\r\nFigure 4: Hexadecimal view of cnmplog.dat showing encrypted content before decryption.\r\nThis three-stage execution flow completes the deployment of PlugX malware running stealthily within a legitimate signed\r\nprocess, significantly reducing the likelihood of detection by endpoint security solutions.\r\nhttps://arcticwolf.com/resources/blog/unc6384-weaponizes-zdi-can-25373-vulnerability-to-deploy-plugx/\r\nPage 5 of 22\n\nFigure 5: Graph overview showing the high-level execution chain.\r\nPlugX Malware Analysis\r\nPlugX is a Remote Access Trojan (RAT) that was first observed in 2008. It has seen many evolutions and variations since\r\nthen, including as a modular malware, and it is a threat that remains actively deployed by Chinese-affiliated threat actors.\r\nThe malware provides comprehensive remote access capabilities including command execution, keylogging, file upload and\r\ndownload operations, persistence establishment, and extensive system reconnaissance functions. Its modular architecture\r\nallows operators to extend functionality through plugin modules tailored to specific operational requirements.\r\nPlugX operates under multiple aliases including Korplug, TIGERPLUG, and SOGU. The Google Threat Intelligence Group\r\ntracks the memory-resident variant deployed by UNC6384 as SOGU.SEC.\r\nAnalyzed Sample Details:\r\nSHA-256: 3fe6443d464f170f13d7f484f37ca4bcae120d1007d13ed491f15427d9a7121f\r\nMD5: dc1dba02ab1020e561166aee3ee8f5fb\r\nCompilation Timestamp: Friday, September 5, 2025, 05:15:45 UTC\r\nFile Type: x86 PE DLL\r\nLoading Phase Technical Details:\r\nAll PlugX variants observed in this campaign export the MSGInitialize function. The PE header of the decrypted DLL\r\ncontains shellcode that invokes this export at a specific offset. Analysis reveals the exported MSGInitialize implements\r\ncontrol-flow flattening by using a central dispatcher loop controlled by a state variable, a technique associated with\r\ncommercial obfuscators designed to complicate reverse engineering efforts.\r\nhttps://arcticwolf.com/resources/blog/unc6384-weaponizes-zdi-can-25373-vulnerability-to-deploy-plugx/\r\nPage 6 of 22\n\nFigure 6: Graph overview showing control-flow flattening obfuscation pattern with a state machine dispatcher creating\r\ncomplex execution paths.\r\nBeneath the obfuscation layer, MSGInitialize walks the Process Environment Block (PEB) and Loader Data Table to\r\nenumerate loaded modules. The routine computes a rolling 32-bit hash using a bitwise rotate-left by 0x13 (19) bits on each\r\niteration (functionally equivalent to a ROR-13) and compares the resulting values against embedded constants to identify\r\nspecific modules. Notable hash values include 0x6A4ABC5B corresponding to KERNEL32.DLL and 0x3CFA685D\r\ncorresponding to NTDLL.DLL.\r\nOnce target modules are identified, the same hashing algorithm is applied to export names within those modules, comparing\r\nhashes to additional embedded constants to locate specific APIs required for loading and mapping portable executable (PE)\r\nfiles into memory.\r\nHash Value API Function Module\r\n0x8C394D89 NtProtectVirtualMemory ntdll.dll\r\n0xD33BCABD NtAllocateVirtualMemory ntdll.dll\r\n0x91AFCA54 VirtualAlloc kernel32.dll\r\n0x7946C61B VirtualProtect kernel32.dll\r\n0x7C0DFCAA GetProcAddress kernel32.dll\r\n0xEC0E4E8E LoadLibraryA kernel32.dll\r\n0xE54CC407 LdrGetProcedureAddress ntdll.dll\r\n0xEB6C8389 RtlAnsiStringToUnicodeString ntdll.dll\r\n0x7CC3283D RtlInitAnsiString ntdll.dll\r\n0x534C0AB8 NtFlushInstructionCache ntdll.dll\r\n0xB0988FE4 LdrLoadDll ntdll.dll\r\nFollowing API resolution, the code uses Reflective Code Loading to map the PE into memory and finalizes memory\r\nprotections. The module’s entry point is invoked twice in succession: first with the fdwReason parameter set to 1\r\ncorresponding to DLL_PROCESS_ATTACH for normal initialization, then immediately with a non-standard fdwReason\r\nvalue of 0x04, which the module recognizes as a signal to execute its payload. This loading methodology is consistent with\r\ntechniques previously documented by ESET in their most recent PlugX analysis.\r\nhttps://arcticwolf.com/resources/blog/unc6384-weaponizes-zdi-can-25373-vulnerability-to-deploy-plugx/\r\nPage 7 of 22\n\nFigure 7: Disassembly code showing manual PE loading sequence with NtFlushInstructionCache call and DLL entry point\r\ninvocation.\r\nAnti-Analysis and Evasion Techniques:\r\nThe malware implements extensive anti-analysis measures, including heavy code obfuscation, multiple anti-debugging\r\nchecks (e.g., CheckRemoteDebuggerPresent), and numerous encrypted strings that are only decrypted at runtime. The code\r\ndemonstrates heavy obfuscation to prevent analysis, with control-flow flattening implemented by using a central dispatcher\r\nloop controlled by a state variable, patterns commonly associated with commercial obfuscators.\r\nThe payload also dynamically loads several system DLLs – user32.dll, shlwapi.dll, psapi.dll, version.dll, msvcrt.dll,\r\nwinhttp.dll, and ole32.dll and resolves their APIs at runtime, with some API names derived from decrypted strings. These\r\nmodules supply the Windows APIs the malware uses during execution.\r\nPersistence Establishment:\r\nThe malware creates a hidden directory in one of several possible locations within the user profile and copies all extracted\r\nfiles to maintain persistent access. Directory names vary between infections and may include “SamsungDriver,” “Intelnet,”\r\n“VirtualFile,” “SecurityScan,” or “DellSetupFiles.” The malware establishes persistence through registry modification,\r\ncreating a value named “CanonPrinter” in the registry key `Software\\Microsoft\\Windows\\CurrentVersion\\Run` with the path\r\nset to the copied cnmpaui.exe location.\r\nhttps://arcticwolf.com/resources/blog/unc6384-weaponizes-zdi-can-25373-vulnerability-to-deploy-plugx/\r\nPage 8 of 22\n\nFigure 8: Windows Registry Editor showing persistence mechanism via Run key entry pointing to cnmpaui.exe in\r\nSamsungDriver directory\r\nEach time the system launches, the directory name may change and all files are transferred to the new location, complicating\r\nforensic analysis and detection based on static file paths.\r\nCommand and Control Communication:\r\nUpon successful deployment, the malware establishes communication with C2 infrastructure using WinHTTP APIs. The\r\npayload employs a consistent user agent string across samples: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 10.0;\r\n.NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729).\r\nhttps://arcticwolf.com/resources/blog/unc6384-weaponizes-zdi-can-25373-vulnerability-to-deploy-plugx/\r\nPage 9 of 22\n\nFigure 9: Debugger output showing WinHttp.WinHttpConnect call preparing connection to the threat actor’s C2 server,\r\ndorareco[.]net.\r\nInitial check-in requests incorporate epoch timestamps and randomized URL parameters that likely contain victim\r\nfingerprinting data. Observed request patterns include:\r\n/download?t=1760103992\u0026LeQa=PKDugp\u0026VE=ZY6tyOYZWNxK2a\r\n/settings?t=1760106491\u0026D=XAl0cJ\u0026WB=qKVsKW7KF\u0026xRcH=dQ3SFEgr0v\u002678=dAi0sahua\r\nFigure 10: Debugger output showing WinHttpOpenRequest with epoch timestamp and encoded parameters for initial C2\r\ncommunication.\r\nThe parameter following the forward slash is randomly selected across requests (observed endpoints include /download,\r\n/settings, /profile, /bookmark, /help/? and /developer), suggesting dynamic request generation to complicate network-based\r\ndetection. Analysis indicates the epoch timestamp provides temporal context while additional parameters likely convey\r\nsystem fingerprinting information, though complete parameter decoding was not achieved within the analysis timeframe.\r\nPlugX Configuration Extraction:\r\nAnalysis of the encrypted payload reveals embedded configuration data containing operational parameters:\r\nSample 1 Configuration (Brussels-themed lure):\r\n{\r\n \"mutex\": \"uUbAmgDu\",\r\n \"lure_filename\": \"Agenda_Meeting 26 Sep Brussels_Facilitating the Free Movement of Goods at EU-WB BCPs.pdf\"\r\n \"c2\": [\r\n {\"host\": \"racineupci[.]org\", \"port\": 443, \"flags\": \"0x0001\"},\r\n {\"host\": \"racineupci[.]org\", \"port\": 443, \"flags\": \"0x0001\"},\r\n {\"host\": \"racineupci[.]org\", \"port\": 443, \"flags\": \"0x0001\"}\r\n ]\r\n}\r\nSample 2 Configuration (Copenhagen-themed lure):\r\nhttps://arcticwolf.com/resources/blog/unc6384-weaponizes-zdi-can-25373-vulnerability-to-deploy-plugx/\r\nPage 10 of 22\n\n{\r\n \"mutex\": \"esUdgquBv\",\r\n \"lure_filename\": \"EPC invitation letter Copenhagen 1-2 October 2025.pdf\",\r\n \"c2\": [\r\n {\"host\": \"dorareco[.]net\", \"port\": 443, \"flags\": \"0x0001\"},\r\n {\"host\": \"dorareco[.]net\", \"port\": 443, \"flags\": \"0x0001\"},\r\n {\"host\": \"dorareco[.]net\", \"port\": 443, \"flags\": \"0x0001\"}\r\n ]\r\n}\r\nFigure 11: Memory dump showing embedded PlugX configuration with the C2 domain dorareco[.]net visible in plaintext.\r\nThe configuration specifies unique mutex names for each sample variant, references to the decoy PDF lures used in social\r\nengineering ploys, and C2 infrastructure utilizing HTTPS over port 443 for encrypted communications.\r\nCanonStager Evolution Analysis\r\nhttps://arcticwolf.com/resources/blog/unc6384-weaponizes-zdi-can-25373-vulnerability-to-deploy-plugx/\r\nPage 11 of 22\n\nArctic Wolf Labs observed significant evolution in the CanonStager loader component between early September and\r\nOctober 2025, indicating active development and refinement of the malware delivery mechanism.\r\nEarly September Evolution\r\nTwo CanonStager samples showed substantial size reduction from approximately 700KB to approximately 100KB. These\r\nsamples retained the Thread Local Storage array data structure for storing function addresses resolved through custom API\r\nhashing algorithms. However, the samples demonstrated simplified execution flow with removal of the custom Windows\r\nprocedure and message queue functionality, reducing code complexity while maintaining core loader capabilities.\r\nEarly October Evolution\r\nThree CanonStager samples measuring approximately 4KB represent a dramatic simplification of the loader architecture.\r\nThis version eliminates previous complexity, including the TLS array for resolved API addresses, custom Windows\r\nprocedures, message queues, and threading mechanisms. The streamlined loader walks the Process Environment Block to\r\nlocate required modules, employs API hashing to resolve function addresses, stores these addresses in standard variables\r\nrather than TLS storage, performs RC4 decryption of the payload, and invokes execution via an EnumSystemGeoID\r\ncallback function.\r\nThe evolution from complex loaders to minimal, streamlined variants suggests operational adaptation based on detection\r\nchallenges or performance requirements. The latest 4KB version maintains essential functionality while dramatically\r\nreducing forensic footprint and analysis surface area.\r\nAn important technical distinction: the original Google Threat Intelligence Group sample was implemented in the D\r\nprogramming language and compiled with DMD compiler. In contrast, all three of the latest 4KB Arctic Wolf samples utilize\r\nC runtime libraries and employ general-purpose registers rather than XMM registers, indicating different development\r\napproaches or separate development teams within the UNC6384 operational structure.\r\nAlternative Delivery Mechanisms\r\nAlso observed in early September, Arctic Wolf identified UNC6384’s use of an HTA file configured to run invisibly in the\r\nbackground, which loads external JavaScript from a CloudFront URL. The JavaScript facilitated payload retrieval from the\r\nsame CloudFront-based C2 and served as a delivery mechanism for three critical files: cnmpaui.exe, cnmpauix.exe, and\r\ncnmplog.dat.\r\nField Value\r\nName XgPK9CpZENdh.js\r\nSHA-256 c3b7abcb583b90559af973dd18bf5ccba48d3323e5e2e8bc0b11ff54425e34dd\r\nFile Type JavaScript\r\nSize 4.86KB\r\nIn-The-Wild URL http[:]//d32tpl7xt7175h[.]cloudfront[.]net/XgPK9CpZENdh\r\nExecution Parent 7a49310a9192cab1aa05256b6ca0d0c1a54fe084b103ff4df2d17be9effa3300 (No.4638.hta)\r\nDelivered Payload\r\na7d12712673a4e3b6d62a9d84f124e62689da12f0a3ee6009369ecf469ce8182 (cnmplog.dat)\r\nee9295fa36e29808ff36beb55be328b68d82f267d2faa54db26e0bf86b78fa56 (cnmpaui.dll)\r\n4ed76fa68ef9e1a7705a849d47b3d9dcdf969e332bd5bcb68138579c288a16d3 (cnmpaui.exe)\r\nPlugX C2 Vnptgroup[.]it[.]com\r\nField Value\r\nName oxF3dIMDi339.js\r\nSHA-256 274adf7f60e0799b157e7524d503d345f6870010703fb6b56a3dd1e62b4de3e8\r\nFile Type JavaScript\r\nSize 4.88KB\r\nDelivered Payload\r\n716637a424bce58ff8c75e40b6e29c33318ff185af6e9e62d85b61e56a560eac (cnmpaui.dll)\r\n4ed76fa68ef9e1a7705a849d47b3d9dcdf969e332bd5bcb68138579c288a16d3 (cnmpaui.exe)\r\nhttps://arcticwolf.com/resources/blog/unc6384-weaponizes-zdi-can-25373-vulnerability-to-deploy-plugx/\r\nPage 12 of 22\n\nPlugX C2 Vnptgroup[.]it[.]com\r\nNetwork Infrastructure Analysis\r\nUNC6384 maintains distributed C2 infrastructure utilizing multiple domains registered through various providers and\r\ngeographic regions. The infrastructure demonstrates operational security awareness through domain selection that mimics\r\nlegitimate organizational naming patterns, while maintaining geographic diversity to complicate takedown efforts.\r\nCommand and Control Infrastructure:\r\nThe campaign employs the following C2 domains, all configured to communicate over HTTPS port 443:\r\nPrimary Campaign Infrastructure:\r\nRacineupci[.]org (Hungarian/Belgian targeting)\r\nDorareco[.]net (Hungarian/Belgian targeting)\r\nOverlapping Campaign Infrastructure (identified through pivoting):\r\nnaturadeco[.]net (Serbian government targeting)\r\ncseconline[.]org (Belgian targeting)\r\nvnptgroup[.]it.com (Italian targeting)\r\npaquimetro[.]net (earlier campaign infrastructure)\r\nFigure 12: Network infrastructure visualization showing relationships between C2 domains, malware samples, decoy\r\ndocuments, and targeted entities across multiple European nations (Click to enlarge).\r\nInfrastructure analysis reveals registration patterns consistent with operational security practices employed by nation-state\r\nthreat actors. Domains are registered through different providers to prevent single-point disruption, employ HTTPS with\r\nvalid “Let’s Encrypt” certificates to avoid browser security warnings, and utilize naming conventions that superficially\r\nresemble legitimate organizations or technical services.\r\nPassive DNS analysis indicates C2 domains resolve to hosting infrastructure distributed across multiple autonomous systems\r\nand geographic locations, complicating network-based blocking efforts. The threat actor maintains multiple simultaneous C2\r\ndomains for operational redundancy, with individual samples configured to communicate with specific domains based on\r\ntarget or operational phase.\r\nVictimology and Target Analysis\r\nThis UNC6384 campaign demonstrates precise targeting of European diplomatic entities, with a focus on organizations\r\ninvolved in cross-border policy, defense cooperation, and multilateral coordination activities.\r\nConfirmed Targets\r\nhttps://arcticwolf.com/resources/blog/unc6384-weaponizes-zdi-can-25373-vulnerability-to-deploy-plugx/\r\nPage 13 of 22\n\nHungarian Diplomatic Entities\r\nArctic Wolf identified malicious LNK files delivered to Hungarian diplomatic personnel using European Commission\r\nmeeting themes as lures. The “Agenda_Meeting 26 Sep Brussels” lure references an authentic Directorate-General for\r\nEnlargement and Eastern Neighbourhood meeting that was scheduled for September 26, 2025, in Brussels, addressing the\r\nharmonization of border procedures and facilitation of free movement of goods at EU-Western Balkans border crossing\r\npoints.\r\nBelgian Diplomatic Entities\r\nTargeting of Belgian diplomatic personnel was confirmed through delivery of lures themed around Joint Arms Training and\r\nEvaluation Centre workshops on wartime defense procurement scheduled for September 9-11, 2025. Belgium’s role as host\r\nnation for NATO headquarters and numerous EU institutions makes Belgian diplomatic entities valuable intelligence targets\r\nfor monitoring alliance activities and policy development.\r\nSerbian Government Entities\r\nStrikeReady research documented targeting of Serbian government aviation departments using lures themed around NAJU\r\nflight training plans for October 2025. This targeting aligns with Serbian government’s complex diplomatic position\r\nbalancing EU accession aspirations with traditional relationships with Russia and China, making Serbian government\r\ncommunications valuable for monitoring geopolitical alignment and policy trajectories.\r\nAdditional European Targeting\r\nInfrastructure analysis and malware sample pivoting identified additional campaigns targeting diplomatic entities in Italy\r\nand the Netherlands, with lures including “EPC invitation letter Copenhagen 1-2 October 2025” suggesting targeting around\r\nEuropean Political Community summit activities.\r\nTargeting Rationale\r\nThe geographic and thematic focus of this campaign indicates intelligence collection priorities aligned with PRC strategic\r\ninterests in European defense cooperation, cross-border infrastructure development, and multilateral diplomatic\r\ncoordination.\r\nSpecific targeting themes include:\r\nDefense and Security Cooperation\r\nLures referencing defense procurement workshops and military training suggest interest in NATO and EU defense\r\ninitiatives, procurement decisions, and military readiness assessments during the period of heightened European security\r\nconcerns following Russia’s invasion of Ukraine.\r\nCross-Border Infrastructure and Trade\r\nTargeting around EU-Western Balkans border facilitation and free movement of goods initiatives indicates intelligence\r\nrequirements concerning European supply chain resilience, infrastructure development in candidate countries, and trade\r\npolicy evolution affecting China’s economic interests.\r\nMultilateral Diplomatic Coordination\r\nFocus on European Commission meetings, European Political Community summits, and NATO-related events demonstrates\r\ninterest in understanding alliance cohesion, policy coordination mechanisms, and potential divisions or disagreements within\r\nEuropean multilateral frameworks.\r\nComparison with Historical Targeting\r\nGoogle’s March 2025 reporting documented UNC6384 targeting diplomats primarily in Southeast Asia, representing\r\ntraditional Chinese intelligence collection priorities in a region of direct territorial and economic interest. The expansion to\r\nEuropean diplomatic targeting observed in this campaign indicates either broadened operational mandate or deployment of\r\nadditional operational teams with geographic specialization. The consistency in tooling and techniques across both\r\ngeographic theaters suggests centralized tool development with regional operational deployment.\r\nAttribution Assessment\r\nArctic Wolf Labs assesses with high confidence that this campaign is attributable to UNC6384, a Chinese-affiliated cyber\r\nespionage threat actor. This attribution is based on multiple converging lines of evidence including malware tooling, tactical\r\nprocedures, targeting alignment, and infrastructure overlaps with previously documented UNC6384 operations.\r\nhttps://arcticwolf.com/resources/blog/unc6384-weaponizes-zdi-can-25373-vulnerability-to-deploy-plugx/\r\nPage 14 of 22\n\nImpact Analysis\r\nSuccessful compromise of diplomatic entities by UNC6384 poses significant national security implications extending\r\nbeyond immediate data theft to encompass long-term intelligence collection, strategic positioning, and potential influence\r\noperations.\r\nIntelligence Collection Capabilities\r\nThe PlugX malware deployed in this campaign acts as a remote-access implant, providing persistent unauthorized control\r\nover compromised endpoints, and granting operators the ability to conduct exfiltration of classified or sensitive documents,\r\nmonitoring of real-time policy discussions and decision-making processes, collection of credentials for accessing diplomatic\r\nnetworks and partner systems, and surveillance of diplomatic calendars and travel plans.\r\nSuccessful long-term compromise enables collection of strategic intelligence concerning European foreign policy\r\ndevelopment, defense cooperation initiatives, economic policy coordination, negotiating positions for international\r\nagreements, internal assessments of geopolitical situations, and relationship dynamics within multilateral frameworks. This\r\nintelligence serves People’s Republic of China strategic planning by providing early warning of policy shifts, identifying\r\nopportunities for influence or division within alliances, understanding economic regulatory developments affecting Chinese\r\ninterests, and assessing military cooperation and capability development trends.\r\nOperational Security Implications\r\nThe campaign’s exploitation of ZDI-CAN-25373, a vulnerability disclosed in March 2025, within six months of public\r\ndisclosure demonstrates UNC6384’s capability for rapid vulnerability adoption. This timeline suggests either direct\r\nmonitoring of vulnerability disclosures with rapid development cycles, or potential pre-disclosure awareness through other\r\nintelligence channels. The group’s willingness to exploit vulnerabilities that have been publicly documented as actively\r\nbeing exploited by multiple nation-state actors indicates risk tolerance and confidence in success rates despite increased\r\ndefender awareness.\r\nThe evolution of CanonStager from approximately 700KB to 4KB between September and October 2025 indicates active\r\ndevelopment responding to detection challenges. This rapid iteration cycle suggests either dedicated development resources\r\nor access to broader Chinese state-sponsored malware development infrastructure supporting multiple operational groups.\r\nBroader Campaign Scope\r\nInfrastructure analysis and malware sample pivoting conducted by Arctic Wolf Labs and recently documented by\r\nStrikeReady researchers indicates this campaign extends beyond Hungarian and Belgian diplomatic targeting to encompass\r\nbroader European diplomatic entities, including Serbian government agencies, Italian diplomatic entities, Netherlands\r\ndiplomatic organizations, and likely additional targets not yet identified through available telemetry.\r\nThe breadth of targeting across multiple European nations within a condensed timeframe suggests either a large-scale\r\ncoordinated intelligence collection operation or deployment of multiple parallel operational teams with shared tooling but\r\nindependent targeting. The consistency in tradecraft across disparate targets indicates centralized tool development and\r\noperational security standards even if execution is distributed across multiple teams.\r\nMitigation Recommendations\r\nOrganizations, particularly those in diplomatic and government sectors, should implement the following defensive measures\r\nto protect against UNC6384 operations and similar nation-state espionage campaigns.\r\nImmediate Actions\r\nAs there is no official patch for the ZDI-CAN-25373 vulnerability, the blocking or restricting of the usage of .lnk files from\r\nquestionable sources can be carried out by deactivating the automatic resolution of them in Windows Explorer. This should\r\nbe put in place across all Windows systems, prioritizing endpoints used by personnel with access to sensitive diplomatic or\r\npolicy information. While this vulnerability was disclosed in March 2025, adoption by threat actors within months of\r\ndisclosure necessitates urgent monitoring and countermeasures.\r\nReview and block C2 infrastructure identified in this report, including racineupci[.]org, dorareco[.]net, naturadeco[.]net,\r\ncseconline[.]org, vnptgroup[.]it.com, and paquimetro[.]net at network perimeters and within web filtering solutions.\r\nImplement monitoring for attempted connections to these domains even after blocking, to identify potentially compromised\r\nsystems attempting C2 communication.\r\nConduct searches across endpoint environments for the presence of Canon printer assistant utilities (specifically\r\ncnmpaui.exe) in unusual locations including user AppData directories, especially when accompanied by cnmpaui.dll and\r\ncnmplog.dat files in the same directory. Investigate any instances of legitimate Canon printer binaries executing from non-standard installation directories.\r\nhttps://arcticwolf.com/resources/blog/unc6384-weaponizes-zdi-can-25373-vulnerability-to-deploy-plugx/\r\nPage 15 of 22\n\nContinuous user education, such as general security awareness training, is one of the most important elements in preventing\r\nmalicious entities from obtaining access to your networks. Ensure all employees are aware of good cybersecurity hygiene\r\npractices, including training on spotting the typical red flags of a phishing attack, and consider implementing a Cyber Threat\r\nIntelligence (CTI) program in your organization.\r\nFor organizations without a dedicated security operations (SOC) team, Arctic Wolf® Managed Detection and Response\r\n(MDR) provides 24×7 monitoring of your networks, endpoints, and cloud environments to detect, respond to, and remediate\r\nmodern cyberattacks.\r\nConclusions\r\nThis UNC6384 campaign demonstrates the continued evolution and operational expansion of Chinese cyber espionage\r\ncapabilities targeting diplomatic entities. The threat actor’s rapid adoption of ZDI-CAN-25373 within six months of\r\ndisclosure illustrates sustained capability for vulnerability exploitation integration into operational tradecraft. The expansion\r\nfrom documented Southeast Asia targeting to European diplomatic entities indicates either broadened intelligence collection\r\nmandates or deployment of additional operational teams with geographic specialization while maintaining centralized tool\r\ndevelopment.\r\nThe campaign’s focus on European diplomatic entities involved in defense cooperation, cross-border policy coordination,\r\nand multilateral diplomatic frameworks aligns with PRC strategic intelligence requirements concerning European alliance\r\ncohesion, defense initiatives, and policy coordination mechanisms. Successful long-term compromise of diplomatic entities\r\nprovides strategic intelligence concerning policy development, negotiating positions, relationship dynamics within\r\nmultilateral frameworks, and early warning of policy shifts affecting Chinese interests.\r\nOrganizations in diplomatic and government sectors should implement the detailed mitigation recommendations provided in\r\nthis report, with priority focus on mitigating against ZDI-CAN-25373, blocking identified C2 infrastructure, enhancing\r\ndetection for DLL side-loading attacks, and conducting proactive threat hunting for indicators of historical compromise\r\ngiven the extended operational timeline characteristic of nation-state espionage campaigns.\r\nArctic Wolf remains committed to protecting customers from advanced persistent threats and will continue enhancing\r\ndetection capabilities as UNC6384 operations evolve.\r\nHow Arctic Wolf Protects Its Customers\r\nArctic Wolf is committed to ending cyber risk, and when active campaigns are identified, we move quickly to protect our\r\ncustomers. Arctic Wolf Labs has leveraged threat intelligence around UNC6384 activity to implement new detections in the\r\nArctic Wolf® Aurora™ Platform to protect customers.\r\nAs we discover new information, we will enhance our detections to account for additional IOCs and techniques leveraged by\r\nthe threat group behind this malicious activity.\r\nAPPENDIX\r\nIndicators of Compromise\r\nFile Indicators:\r\nName SHA-256 MD5 Typ\r\nAgenda_Meeting\r\n26 Sep Brussels.lnk\r\n911cccd238fbfdb4babafc8d2582e80dcfa76469fa1ee27bbc5f4324d5fca539 – LNK\r\ncnmpaui.exe 4ed76fa68ef9e1a7705a849d47b3d9dcdf969e332bd5bcb68138579c288a16d3 –\r\nLegi\r\nsign\r\nbina\r\ncnmpaui.dll e53bc08e60af1a1672a18b242f714486ead62164dda66f32c64ddc11ffe3f0df – Mal\r\nDLL\r\ncnmplog.dat c9128d72de407eede1dd741772b5edfd437e006a161eecfffdf27b2483b33fc7 –\r\nEncr\r\nPlug\r\npayl\r\nPlugX payload\r\n(decrypted)\r\n3fe6443d464f170f13d7f484f37ca4bcae120d1007d13ed491f15427d9a7121f dc1dba02ab1020e561166aee3ee8f5fb\r\nPlug\r\nmalw\r\nhttps://arcticwolf.com/resources/blog/unc6384-weaponizes-zdi-can-25373-vulnerability-to-deploy-plugx/\r\nPage 16 of 22\n\nrjnlzlkfe.ta 7168838787039d82961836e5f2f9c70f3fe7c4d99a6c7c61405b3364ce37e760 – TAR\r\nAA.zip f8d03814986599ed98ce8c83fbc9ce55b83095c179c54ec555c4ab372fa99700 –\r\nArch\r\ncont\r\nAgenda_Meeting\r\n26 Sep Brussels.zip\r\nbb491248bb8f6067af39e196b11f4e408a7a3885704cadbd4266db52ae4b03e2 0a02938e088b74fe6be2f10bb9133f2a\r\nCam\r\ndeliv\r\narch\r\nJATEC workshop\r\non wartime defence\r\nprocurement (9-11\r\nSeptember).zip\r\n– f15c9d7385cffd1d04e54c5ffdb76526\r\nCam\r\ndeliv\r\narch\r\nEPC invitation\r\nletter Copenhagen\r\n1-2 October\r\n2025.zip\r\n– 227045c5c5c47259647f280bee8fe243\r\nCam\r\ndeliv\r\narch\r\nNAJU Plan Obuka\r\nOKTOBAR\r\n2025.lnk\r\n0d0dd1cbde02e4e138c352b82a0288cc –\r\nLNK\r\n(Ser\r\ncam\r\nNAJU Plan Obuka\r\nOKTOBAR\r\n2025.zip\r\nf2d1fa1890e409996ed4a23bc69461fe –\r\nCam\r\ndeliv\r\narch\r\ncnmpaui.dll c96338533d0ab4de8201ce1f793e9ea18d30c6179daf1e312e0f01aff8f50415 Can\r\ncnmpaui.dll e53bc08e60af1a1672a18b242f714486ead62164dda66f32c64ddc11ffe3f0df Can\r\ncnmpaui.dll ae8d2cef8eac099f892e37cc50825d329459baa9625b71fb6f4b7e8f33c6ccce Can\r\ncnmpaui.dll 716637a424bce58ff8c75e40b6e29c33318ff185af6e9e62d85b61e56a560eac Can\r\ncnmpaui.dll ee9295fa36e29808ff36beb55be328b68d82f267d2faa54db26e0bf86b78fa56 Can\r\nSecurityScan.zip 1564e19b36ffc4e12becc4fb73359de13191ac8df62def45f045efbd6ef36e79\r\nCam\r\ndeliv\r\narch\r\nUtensils.zip 218ed813d8a4d9d05473338795021c66012cd6c36368561d3aaf831a5c494740\r\nCam\r\ndeliv\r\narch\r\nXgPK9CpZENdh.js c3b7abcb583b90559af973dd18bf5ccba48d3323e5e2e8bc0b11ff54425e34dd\r\nJava\r\ndeliv\r\nscrip\r\noxF3dIMDi339.js 274adf7f60e0799b157e7524d503d345f6870010703fb6b56a3dd1e62b4de3e8\r\nJava\r\ndeliv\r\nscrip\r\nNo.4638.hta 7a49310a9192cab1aa05256b6ca0d0c1a54fe084b103ff4df2d17be9effa3300\r\nHTA\r\ndeliv\r\nrphbqultm.ta f04340f93e2f5f7d6d5521572f17c5b80f39984ee6b4b8c0899380e95a825127 Tar A\r\ncnmpaui.dll Can\r\ncnmpaui.dat d70600f0e4367e6e3e07f7b965b654e5bfbcb0afbccfe0f6a9a8d9f69c7061a3\r\nEncr\r\nPlug\r\npayl\r\nhttps://arcticwolf.com/resources/blog/unc6384-weaponizes-zdi-can-25373-vulnerability-to-deploy-plugx/\r\nPage 17 of 22\n\nNetwork Indicators\r\nCommand and Control Domains\r\nracineupci[.]org (Port 443, HTTPS)\r\nracineupci[.]org (Port 443, HTTPS)\r\nnaturadeco[.]net (Port 443, HTTPS)\r\ncseconline[.]org (Port 443, HTTPS)\r\nvnptgroup[.]it[.]com (Port 443, HTTPS)\r\npaquimetro[.]net (Port 443, HTTPS)\r\nDelivery Infrastructure\r\nmydownload.z29[.]web.core.windows[.]net\r\nmydownloadfile[.]z7.web.core.windows[.]net\r\nmydownfile[.]z11.web.core.windows[.]net\r\nd32tpl7xt7175h[.]cloudfront[.]net\r\nUser Agent String\r\nMozilla/5.0 (compatible; MSIE 9.0; Windows NT 10.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR\r\n3.0.30729; .NET CLR 3.5.30729)\r\nHost Indicators:\r\nMutex Names\r\nuUbAmgDu\r\nesUdgquBv\r\nRegistry Keys Created\r\nSoftware\\Microsoft\\Windows\\CurrentVersion\\Run\\CanonPrinter\r\nRegistry Keys Queried\r\nSoftware\\CLASSES\\ms-pu Value CLSID\r\nSoftware\\Microsoft\\Windows\\CurrentVersion\\InternetSetting Value ProxyEnable, ProxyServer\r\nSoftware\\Microsoft\\Internet Explorer\\Version Vector Value IE\r\nSoftware\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\User Agent\\Post Platform\r\nSoftware\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\User Agent\\Post Platform\r\nFile Paths\r\nC:\\Users[Username]\\AppData\\Roaming\\SamsungDriver\\cnmpaui.exe\r\nC:\\Users[Username]\\AppData\\Roaming\\Intelnet*\r\nC:\\Users[Username]\\AppData\\Roaming\\VirtualFile*\r\nC:\\Users[Username]\\AppData\\Roaming\\SecurityScan*\r\nC:\\Users[Username]\\AppData\\Roaming\\DellSetupFiles*\r\nC:\\Users[Username]\\AppData\\Local\\Temp\\rjnlzlkfe.ta\r\nC:\\Users[Username]\\AppData\\Local\\Temp\\krnqdyvmlb.ta\r\nC:\\Users[Username]\\AppData\\Local\\Temp\\tmp.dat\r\nDecoy PDF Files\r\nAgenda_Meeting 26 Sep Brussels_Facilitating the Free Movement of Goods at EU-WB BCPs.pdf\r\nhttps://arcticwolf.com/resources/blog/unc6384-weaponizes-zdi-can-25373-vulnerability-to-deploy-plugx/\r\nPage 18 of 22\n\nEPC invitation letter Copenhagen 1-2 October 2025.pdf\r\nNAJU Plan Obuka OKTOBAR 2025.pdf\r\nApplied Countermeasures\r\nYARA Rules:\r\nimport \"pe\"\r\nrule targeted_UNC6384_PlugX_2025 : extended description\r\n{\r\n meta:\r\n description = \"Detects PlugX RAT variant deployed by UNC6384 in 2025 European diplomatic targeting cam\r\n author = \"Arctic Wolf Labs\"\r\n distribution = \"TLP:GREEN\"\r\n version = \"1.0\"\r\n last_modified = \"2025-10-12\"\r\n hash1_md5 = \"dc1dba02ab1020e561166aee3ee8f5fb\"\r\n hash1_sha256 = \"3fe6443d464f170f13d7f484f37ca4bcae120d1007d13ed491f15427d9a7121f\"\r\n \r\n strings:\r\n $str1 = \"%allusersprofile%\\\\\" ascii wide\r\n $str2 = \"SecurityScan\" ascii wide\r\n $str3 = \"CanonPrinter\" ascii wide\r\n $str4 = {63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 73 00 74 00 61 00 72 00}\r\n $str5 = {57 00 5C 00 5C 00 2E 00 5C 00 2A 00 3A 00}\r\n $str6 = {26 00 3D 00 25 00 53 00 25 00 63 00 74 00 3D 00 25 00 6C 00 64 00 25 00 53}\r\n \r\n condition:\r\n uint16(0) == 0x5a4d and\r\n filesize \u003c 1500KB and\r\n all of ($str*)\r\n}\r\nrule targeted_UNC6384_CanonStager_Loader: extended description\r\n{\r\n meta:\r\n description = \"Detects CanonStager DLL loader used for side-loading PlugX payload\"\r\n author = \"Arctic Wolf Labs\"\r\n distribution = \"TLP:GREEN\"\r\n version = \"1.0\"\r\n last_modified = \"2025-10-12\"\r\n hash1_sha256 = \"e53bc08e60af1a1672a18b242f714486ead62164dda66f32c64ddc11ffe3f0df\"\r\n \r\n strings:\r\n $str1 = \".dat\" wide\r\n $str2 = \"\\\\cnmplog\" wide\r\n \r\n // RC4 decryption loop patterns\r\n $code1 = {43 0F B6 ?? 0F B6 [3]00 D0 0F B6 ?? 8A 74 [2]88 74 [2]88 54 [2]8B 7? [2]02 54 [2]0F B6 ?? 0F\r\n $code2 = {0F B6 [3] 89 ?? 83 E? 0F 00 D0 02 ?? [1-2] 0F B6 ?? 8A 74 [2] 88 74 [2] 4? 88 54 [2]81 F? 00\r\n $code3 = {40 89 ?? 0F B6 C0 0F B6 [3]00 D9 88 9? [4-5]0F B6 F? 8A 7C 3? ?? 88 7C 0? ?? 88 5C 3? ?? 02\r\n \r\n condition:\r\n uint16(0) == 0x5a4d and\r\n all of ($str*) and\r\n 2 of ($code*)\r\n}\r\nrule targeted_UNC6384_LNK_Exploitation: extended description\r\n{\r\n meta:\r\n description = \"Detects malicious LNK files exploiting ZDI-CAN-25373 to deploy UNC6384 payloads\"\r\n author = \"Arctic Wolf Labs\"\r\n distribution = \"TLP:GREEN\"\r\n version = \"1.0\"\r\n last_modified = \"2025-10-12\"\r\n \r\n strings:\r\nhttps://arcticwolf.com/resources/blog/unc6384-weaponizes-zdi-can-25373-vulnerability-to-deploy-plugx/\r\nPage 19 of 22\n\n$lnk_header = {4C 00 00 00 01 14 02 00}\r\n $powershell = \"powershell\" nocase\r\n $tar_extract = \"tar\" nocase\r\n $cnmpaui = \"cnmpaui.exe\" nocase\r\n $temp_path = \"$Env:temp\" nocase ascii wide\r\n $readbytes = \"ReadAllBytes\" nocase\r\n \r\n condition:\r\n $lnk_header at 0 and\r\n filesize \u003c 10KB and\r\n $powershell and\r\n $tar_extract and\r\n ($cnmpaui or $temp_path) and\r\n $readbytes\r\n}\r\nDetailed MITRE ATT\u0026CK® Mapping\r\nTactic Technique Procedure Evidence\r\nResource\r\nDevelopment\r\nT1587.001 – Develop\r\nCapabilities: Malware\r\nRefinement of CanonStager\r\nfrom approx. 700KB in May to\r\n4KB in October.\r\nComparisons of the CanonStager loader component between the\r\nsample documented by GTIG and samples found in early\r\nSeptember and October 2025 indicates active development and\r\nrefinement of the malware delivery mechanism.\r\nResource\r\nDevelopment\r\nT1608.001 – Stage\r\nCapabilities: Upload\r\nMalware\r\nUNC6384 actors staged\r\nmalware on their infrastructure\r\nfor direct download onto\r\ncompromised devices.\r\nObserved delivery infrastructure used to deliver their payloads:\r\nmydownload.z29[.]web.core.windows[.]net\r\nmydownloadfile[.]z7.web.core.windows[.]net\r\nmydownfile[.]z11.web.core.windows[.]net\r\nd32tpl7xt7175h[.]cloudfront[.]net\r\nInitial\r\nAccess\r\nT1566.001 – Phishing:\r\nSpearphishing\r\nAttachment\r\nDelivery of malicious LNK\r\nfiles via targeted emails\r\nthemed around diplomatic\r\nconferences and meetings.\r\nLNK files: Agenda_Meeting 26 Sep Brussels.lnk, JATEC\r\nworkshop lure, EPC invitation letter.\r\nInitial\r\nAccess\r\nT1189 – Drive-by\r\nCompromise\r\nCaptive portal hijacking\r\nredirecting browsers to\r\nmalicious update pages\r\n(documented in Google\r\nresearch).\r\nGTIG documentation of AitM attacks redirecting legitimate\r\ncaptive portal checks.\r\nExecution\r\nT1059.001 –\r\nCommand and\r\nScripting Interpreter:\r\nPowerShell\r\nLNK files execute obfuscated\r\nPowerShell commands to\r\nextract and decompress TAR\r\narchives.\r\nPowerShell commands in LNK files extract rjnlzlkfe.ta and\r\nkrnqdyvmlb.ta.\r\nExecution\r\nT1059.001 –\r\nCommand and\r\nScripting Interpreter:\r\nJavaScript\r\nJavaScript file delivers\r\ncnmpaui.exe, cnmpaui.dll and\r\ncnmpaui.dat.\r\nThe JavaScript facilitated payload CanonStager and PlugX\r\nretrieval from the same CloudFront-based C2.\r\nExecution\r\nT1204.002 – User\r\nExecution: Malicious\r\nFile\r\nUser opens LNK file disguised\r\nas conference agenda or policy\r\ndocument.\r\nDiplomatic-themed file names leveraging authentic event\r\ndetails.\r\nExecution T1106 – Native API\r\nBoth CanonStager and PlugX\r\nuse dynamic API resolution\r\nnative API calls.\r\nUNC6384 uses native API calls in CanonStager to load and\r\nexecute the PlugX payload via EnumSystemGeoID.\r\nPlugX uses a variety of dynamically resolved APIs.\r\nExecution\r\nT1129 – Shared\r\nModules\r\nLoadLibraryA is called by\r\nPlugX to load additional\r\nmodules.\r\nPlugX calls LoadLibraryA to load the following modules:\r\nadvapi32.dll, Ws2_32.dll, User32.dll, Shell32.dll, Shlwapi.dll,\r\nPsapi.dll, Version.dll, Msvrt.dll, Winhttp.dll, Ole32.dll\r\nhttps://arcticwolf.com/resources/blog/unc6384-weaponizes-zdi-can-25373-vulnerability-to-deploy-plugx/\r\nPage 20 of 22\n\nPersistence\r\nT1547.001 – Boot or\r\nLogon Autostart\r\nExecution: Registry\r\nRun Keys / Startup\r\nFolder\r\nCreation of registry Run key\r\nentries pointing to malware in\r\nAppData directories.\r\nRegistry key:\r\nSoftware\\Microsoft\\Windows\\CurrentVersion\\Run\\CanonPrinter.\r\nDefense\r\nEvasion\r\nT1574.002 – Hijack\r\nExecution Flow: DLL\r\nSide-Loading\r\nMalicious DLL loaded by\r\nlegitimate signed Canon\r\nprinter assistant binary.\r\ncnmpaui.exe (legitimate signed) loading malicious cnmpaui.dll.\r\nDefense\r\nEvasion\r\nT1027 – Obfuscated\r\nFiles or Information\r\nRC4 encryption of PlugX\r\npayload, code obfuscation,\r\ncontrol-flow flattening.\r\ncnmplog.dat encrypted with 16-byte RC4 key, MSGInitialize\r\nimplements control-flow flattening obfuscation\r\nDefense\r\nEvasion\r\nT1027.009 –\r\nObfuscated Files or\r\nInformation:\r\nEmbedded Payloads\r\nPlugX payload embedded\r\nwithin encrypted .dat file\r\nalongside legitimate binaries.\r\ncnmplog.dat containing encrypted PlugX within TAR archive.\r\nDefense\r\nEvasion\r\nT1055 – Process\r\nInjection\r\nIn-memory loading of PlugX\r\npayload into legitimate\r\ncnmpaui.exe process space.\r\nManual PE mapping and execution via EnumSystemGeoID\r\ncallback.\r\nDefense\r\nEvasion\r\nT1140 –\r\nDeobfuscate/Decode\r\nFiles or Information\r\nRuntime decryption of\r\nencrypted payload and strings.\r\nRC4 decryption of cnmplog.dat, runtime string decryption in\r\nPlugX.\r\nDefense\r\nEvasion\r\nT1036.005 –\r\nMasquerading: Match\r\nLegitimate Name or\r\nLocation\r\nMalware uses printer-related\r\ndirectory and file names\r\nmimicking legitimate software.\r\nDirectory names: SamsungDriver, DellSetupFiles; Registry\r\nvalue: CanonPrinter.\r\nDefense\r\nEvasion\r\nT1218 – System\r\nBinary Proxy\r\nExecution\r\nExecution through legitimate\r\nsigned binary to evade\r\napplication whitelisting.\r\nLegitimate Canon cnmpaui.exe with valid expired certificate\r\nloading malicious DLL.\r\nDefense\r\nEvasion\r\nT1497.001 –\r\nVirtualization/Sandbox\r\nEvasion: System\r\nChecks\r\nCheckRemoteDebuggerPresent\r\nAPI calls to detect debugging\r\nenvironments.\r\nAPI calls documented in malware analysis section.\r\nDefense\r\nEvasion\r\nT1553.002 – Subvert\r\nTrust Controls: Code\r\nSigning\r\nUse of legitimately signed\r\nbinaries and stolen/expired\r\ncode signing certificates.\r\nCanon binary signed by Symantec Class 3, GTIG documented\r\nSTATICPLUGIN signed by Chengdu Nuoxin Times Technology.\r\nDefense\r\nEvasion\r\nT1562.001 – Impair\r\nDefenses: Disable or\r\nModify Tools\r\nAnti-debugging techniques and\r\nchecks to prevent analysis.\r\nCheckRemoteDebuggerPresent, anti-analysis obfuscation.\r\nDiscovery\r\nT1082 – System\r\nInformation Discovery\r\nCollection of system\r\ninformation for C2 check-in\r\nand fingerprinting.\r\nInitial C2 check-in with system fingerprint data in URL\r\nparameters.\r\nDiscovery\r\nT1083 – File and\r\nDirectory Discovery\r\nMalware searches for and\r\nreads files in user profile\r\ndirectories.\r\nPowerShell get-childitem commands, file system enumeration.\r\nDiscovery\r\nT1057 – Process\r\nDiscovery\r\nEnumeration of running\r\nprocesses for anti-analysis and\r\noperational purposes.\r\nStandard PlugX reconnaissance capabilities.\r\nDiscovery T1012 – Query\r\nRegistry\r\nRegistry queries for Internet\r\nExplorer version, proxy\r\nsettings, and system\r\nconfiguration.\r\nRegistry queries:\r\nSoftware\\CLASSES\\ms-pu Value CLSID\r\nSoftware\\Microsoft\\Windows\\CurrentVersion\\InternetSetting\r\nValue ProxyEnable, ProxyServer\r\nSoftware\\Microsoft\\Internet Explorer\\Version Vector Value IE\r\nhttps://arcticwolf.com/resources/blog/unc6384-weaponizes-zdi-can-25373-vulnerability-to-deploy-plugx/\r\nPage 21 of 22\n\nSoftware\\Microsoft\\Windows\\CurrentVersion\\Internet\r\nSettings\\5.0\\User Agent\\Post Platform\r\nSoftware\\Microsoft\\Windows\\CurrentVersion\\Internet\r\nSettings\\User Agent\\Post Platform\r\nCommand\r\nand Control\r\nT1071.001 –\r\nApplication Layer\r\nProtocol: Web\r\nProtocols\r\nHTTPS communication over\r\nport 443 for C2 traffic.\r\nWinHttpConnect to C2 domains over port 443.\r\nCommand\r\nand Control\r\nT1573.001 –\r\nEncrypted Channel:\r\nSymmetric\r\nCryptography\r\nHTTPS encryption of C2\r\ncommunications.\r\nTLS certificates on C2 domains, HTTPS protocol usage.\r\nCommand\r\nand Control\r\nT1132.001 – Data\r\nEncoding: Standard\r\nEncoding\r\nEncoding of C2 parameters\r\nand data in URL query strings.\r\nURL parameters with encoded data: /download?\r\nt=1760103992\u0026LeQa=PKDugp\r\nCommand\r\nand Control\r\nT1001.003 – Data\r\nObfuscation: Protocol\r\nImpersonation\r\nImpersonation of legitimate\r\nbrowser traffic through user\r\nagent strings.\r\nUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0…).\r\nCommand\r\nand Control\r\nT1105 – Ingress Tool\r\nTransfer\r\nDownload of additional\r\npayloads and tools from C2\r\ninfrastructure.\r\nSTATICPLUGIN downloading MSI packages, potential for\r\nadditional tool deployment.\r\nExfiltration\r\nT1041 – Exfiltration\r\nOver C2 Channel\r\nData exfiltration through\r\nestablished HTTPS C2\r\nchannels.\r\nStandard PlugX exfiltration capabilities over C2 infrastructure.\r\nAbout Arctic Wolf Labs\r\nArctic Wolf Labs is a group of elite security researchers, data scientists, and security development engineers who explore\r\nsecurity topics to deliver cutting-edge threat research on new and emerging adversaries, develop and refine advanced threat\r\ndetection models with artificial intelligence and machine learning, and drive continuous improvement in the speed, scale,\r\nand detection efficacy of Arctic Wolf’s solution offerings.\r\nArctic Wolf Labs brings world-class security innovations to not only Arctic Wolf’s customer base, but the security\r\ncommunity at large.\r\nSource: https://arcticwolf.com/resources/blog/unc6384-weaponizes-zdi-can-25373-vulnerability-to-deploy-plugx/\r\nhttps://arcticwolf.com/resources/blog/unc6384-weaponizes-zdi-can-25373-vulnerability-to-deploy-plugx/\r\nPage 22 of 22", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://arcticwolf.com/resources/blog/unc6384-weaponizes-zdi-can-25373-vulnerability-to-deploy-plugx/" ], "report_names": [ "unc6384-weaponizes-zdi-can-25373-vulnerability-to-deploy-plugx" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "20b5fa2f-2ef1-4e69-8275-25927a762f72", "created_at": "2025-08-07T02:03:24.573647Z", "updated_at": "2026-04-10T02:00:03.765721Z", "deleted_at": null, "main_name": "BRONZE DUDLEY", "aliases": [ "TA428 ", "Temp.Hex ", "Vicious Panda " ], "source_name": "Secureworks:BRONZE DUDLEY", "tools": [ "NCCTrojan", "PhantomNet", "PoisonIvy", "Royal Road" ], "source_id": "Secureworks", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "e09a03a6-ce6c-4f6b-b8c6-38c3edecd743", "created_at": "2026-01-20T02:00:03.665377Z", "updated_at": "2026-04-10T02:00:03.915084Z", "deleted_at": null, "main_name": "UNC6384", "aliases": [], "source_name": "MISPGALAXY:UNC6384", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434284, "ts_updated_at": 1775792193, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f81680b4e46f787f341af8fbefff08de0e27455d.pdf", "text": "https://archive.orkl.eu/f81680b4e46f787f341af8fbefff08de0e27455d.txt", "img": "https://archive.orkl.eu/f81680b4e46f787f341af8fbefff08de0e27455d.jpg" } }