China-linked hackers target European diplomacy with malware

A hacking operation tied to China targeted diplomatic offices and government ministries across Europe during September and October, according to cybersecurity researchers at Arctic Wolf. The group called UNC6384 sent emails with phony invitations to European Commission gatherings and NATO events that contained dangerous links exploiting a Windows vulnerability labeled CVE-2025-9491. Victims in Hungary, Belgium, Italy, the Netherlands and Serbia opened files that installed PlugX malware, which lets attackers command infected machines, capture typed passwords and steal data.

The malicious software hides inside what appears to be legitimate Canon printer software through a method called DLL side-loading. Analysts noticed the attack code shrank from 700 kilobytes in early September to just four kilobytes by October, suggesting hackers refined their approach to avoid detection systems. Security experts connected UNC6384 to Mustang Panda, another Chinese espionage team known for campaigns against diplomatic targets throughout Europe and Asia.

Microsoft confirmed its Defender program can stop these intrusions while Smart App Control blocks harmful downloads. Researchers believe the offensive aims to gather intelligence about European defense partnerships and alliance coordination.