Hidden in Plain Sight: How a Windows UI Flaw Enabled a Diplomatic PlugX Espionage Campaign

Aegiron 19 mins0

Executive Summary

Between mid-2025 and December 2025, a China-nexus threat actor tracked as UNC6384 conducted a sustained cyber-espionage campaign targeting European diplomatic and government entities, leveraging a newly disclosed Windows shortcut vulnerability, CVE-2025-9491. The campaign relied on UI spoofing within Windows LNK files to conceal malicious command-line arguments, allowing attackers to execute hidden PowerShell payloads while presenting shortcuts that appeared benign upon inspection.

The operation culminated in the deployment of PlugX, a long-standing remote access trojan favored by multiple Chinese state-aligned threat groups. The campaign demonstrates rapid operational adoption of newly disclosed vulnerabilities, mature tradecraft, and continued evolution of PlugX loaders toward smaller, stealthier components.

Confirmed victims include diplomatic and governmental personnel in Hungary, Belgium, Serbia, Italy, and the Netherlands, with lures themed around legitimate EU, NATO, and European Political Community meetings.

Threat Actor Context

UNC6384 has historically operated against Southeast Asian and East Asian government targets, including confirmed compromises of the Mongolian Ministry of Defense (August 2024) and the Communist Party of Vietnam (November 2024). Beginning in mid-2025, the actor expanded operations into Europe, aligning with broader Chinese intelligence priorities focused on EU policy, defense coordination, and diplomatic engagement.

The tooling, infrastructure overlap, and PlugX lineage align UNC6384 closely with activity clusters commonly attributed to Mustang Panda / Bronze President, though UNC6384 demonstrates a distinct loader evolution and targeting cadence.

Vulnerability Overview: CVE-2025-9491

CVE-2025-9491 (ZDI-CAN-25373) is a Windows UI misrepresentation vulnerability affecting how shortcut (.LNK) files display their target command lines. While the operating system correctly executes the full command, the Windows Properties dialog truncates or visually hides long argument strings when padded with whitespace.

Key Impact

Attackers can embed malicious commands hundreds of characters beyond the visible portion of the Target field. Even when users scroll through the field, the malicious content remains invisible, creating a false sense of safety.

In practice, victims inspecting the shortcut see only a legitimate binary such as:

C:\Windows\System32\conhost.exe

While the actual executed command includes hidden PowerShell instructions appended after extensive whitespace padding.

Microsoft introduced a silent UI mitigation in November 2025 that reveals all characters, but it does not block execution or provide security warnings, leaving detection and prevention largely to defenders.

Initial Access: Spear-Phishing with Weaponized LNK Files

UNC6384 relied on highly targeted spear-phishing emails crafted around real diplomatic events, including:

  • European Commission border facilitation meetings
  • NATO Joint Arms Training and Evaluation Centre workshops
  • European Political Community summits
  • National aviation and flight training programs

Emails typically contained either a direct LNK attachment or a link to a compressed archive hosting the shortcut. Filenames were carefully chosen to mirror authentic documents, for example:

  • Agenda_Meeting 26 Sep Brussels.lnk
  • NAJU Plan Obuka OKTOBAR 2025.lnk

The LNK files used document icons (PDF/DOCX) to further reinforce legitimacy.

Infection Chain Overview

Stage 1: LNK Execution and Hidden PowerShell

When the victim double-clicks the shortcut, Windows executes the entire hidden command line, triggering an obfuscated PowerShell script. The script performs several actions in parallel:

  • Decodes and extracts an embedded TAR archive to %AppData%\Local\Temp
  • Drops and opens a decoy PDF containing legitimate meeting content
  • Initiates execution of a legitimate signed executable to begin the next stage

This design ensures visible confirmation bias while malicious activity proceeds unnoticed.

Stage 2: DLL Side-Loading via Signed Canon Binary

The extracted archive contains a classic three-component PlugX loader set:

  1. cnmpaui.exe
    A legitimate Canon printer assistant utility (352 KB), digitally signed by Canon Inc. The certificate is expired but remains trusted due to a valid timestamp.
  2. cnmpaui.dll
    A small (≈4 KB) malicious loader DLL placed in the same directory.
  3. cnmplog.dat
    An RC4-encrypted PlugX payload blob (~818 KB).

When cnmpaui.exe launches, Windows loads cnmpaui.dll from the local directory due to DLL search order precedence. This sidesteps signature-based defenses by abusing a trusted, signed binary.

Stage 3: In-Memory PlugX Deployment

The malicious DLL decrypts cnmplog.dat using a hardcoded RC4 key:

eQkiwoiuDsvIPsmd

The payload undergoes multiple transformation layers:

  1. RC4 decryption
  2. XOR-based decoding
  3. LZNT1 decompression via RtlDecompressBuffer
  4. Reflective PE loading directly into memory

No final PlugX DLL is written to disk. The implant executes within the trusted Canon process context, employing control-flow flattening, hashed API resolution (ROR-13), and anti-analysis techniques.

Persistence and Post-Compromise Behavior

Persistence Mechanisms

PlugX establishes persistence via a registry Run key:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Value Name: CanonPrinter
Value Data: <path>\cnmpaui.exe

Before persistence is set, the malware relocates itself into newly created hidden directories with deceptive names such as:

  • SamsungDriver
  • Intelnet
  • SecurityScan
  • VirtualFile
  • DellSetupFiles

The directory name often changes between executions, complicating forensic reconstruction.

Command and Control

PlugX communicates over HTTPS (TCP/443) using WinHTTP APIs. Traffic blends with normal browser activity and uses the following user agent:

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 10.0; 
.NET4.0C; .NET4.0E; .NET CLR 2.0.50727; 
.NET CLR 3.0.30729; .NET CLR 3.5.30729)

Beacon requests include epoch timestamps and randomized parameters. Common endpoints include:

  • /download
  • /settings
  • /profile
  • /bookmark

Observed C2 domains include:

  • racineupci[.]org
  • dorareco[.]net
  • naturadeco[.]net
  • cseconline[.]org
  • vnptgroup[.]it[.]com
  • paquimetro[.]net
  • d32tpl7xt7175h[.]cloudfront[.]net

PlugX Capabilities

Once established, the implant provides full remote access functionality, including:

  • Interactive command execution
  • File upload and download
  • Credential harvesting and keylogging
  • System and network reconnaissance
  • Screenshot capture
  • Lateral movement using harvested credentials
  • Anti-debugging and ETW/AMSI evasion in some variants

The observed PlugX sample (SHA-256: 3fe6443d464f170f13d7f484f37ca4bcae120d1007d13ed491f15427d9a7121f) aligns with modern “headless” PlugX builds designed exclusively for reflective loading.

Victimology

Confirmed or highly likely targets include:

  • Hungary – diplomatic entities tied to EU Commission border meetings
  • Belgium – defense procurement and NATO-aligned personnel
  • Serbia – government aviation and training departments
  • Italy – diplomatic participants in EPC Copenhagen summit
  • Netherlands – diplomatic organizations

The campaign reflects a clear intelligence-gathering focus rather than financial motivation.

Detection and Hunting Guidance

Defenders should prioritize the following indicators:

Host-Based

  • LNK files in user directories or email attachments referencing system binaries
  • explorer.exe spawning cmd.exe or powershell.exe with hidden or encoded arguments
  • cnmpaui.exe executing from %TEMP%, %APPDATA%, or hidden user directories
  • Presence of cnmpaui.dll and .dat payload files outside Program Files
  • New Run key entries referencing CanonPrinter or similar benign-looking names

Network-Based

  • HTTPS traffic to the listed C2 domains
  • WinHTTP-based connections following LNK execution
  • Legacy MSIE 9.0 user-agent strings on modern Windows systems

Mitigation and Defensive Recommendations

Immediate Actions

  • Block known C2 domains and monitor for connection attempts
  • Hunt for Canon printer utilities in non-standard locations
  • Remove registry persistence entries referencing CanonPrinter
  • Quarantine and analyze suspicious LNK files

Strategic Controls

  • Block or heavily restrict .lnk attachments at email gateways
  • Enable EDR rules for DLL side-loading from user-writable directories
  • Apply Microsoft updates and consider 0Patch micropatches where appropriate
  • Harden PowerShell via constrained language mode and AMSI enforcement
  • Conduct targeted phishing awareness training for diplomatic staff

1. SIGMA RULES (Host & Log-Based)

1.1 CVE-2025-9491 LNK UI Spoofing (Hidden Arguments)

title: CVE-2025-9491 LNK UI Spoofing with Hidden Command-Line Arguments
id: 9d1b7c12-7b0a-4c2a-9d9b-unc6384-lnk-ui
status: stable
description: >
  Detects execution of Windows LNK shortcuts exploiting CVE-2025-9491 by hiding
  malicious command-line arguments using excessive whitespace padding. Observed
  in UNC6384 PlugX campaigns targeting European diplomatic entities.
author: Threat Intelligence Team
date: 2025-12-01
references:
  - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-9491
tags:
  - attack.initial_access
  - attack.execution
  - attack.t1204.002
  - attack.t1059.001
  - attack.t1566.001
logsource:
  product: windows
  category: process_creation
detection:
  selection_parent:
    ParentImage|endswith: '\explorer.exe'
  selection_child:
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\conhost.exe'
      - '\rundll32.exe'
  selection_cmdline:
    CommandLine|contains:
      - '-WindowStyle Hidden'
      - '-w hidden'
      - '-EncodedCommand'
      - 'IEX('
      - 'FromBase64String'
  condition: selection_parent and selection_child and selection_cmdline
falsepositives:
  - Rare administrative scripts launched directly from Explorer
  - Custom IT automation shortcuts (validate command length)
level: high

1.2 PlugX Canon DLL Side-Loading Detection

title: PlugX DLL Side-Loading via Canon cnmpaui.exe
id: 4e7d8c21-3a91-4bb7-b4b6-unc6384-canon-sideload
status: stable
description: >
  Detects DLL side-loading of malicious cnmpaui.dll by legitimate Canon cnmpaui.exe,
  a core execution technique used by UNC6384 to deploy PlugX payloads.
author: Threat Intelligence Team
date: 2025-12-01
tags:
  - attack.defense_evasion
  - attack.t1574.002
  - attack.t1036.005
  - attack.execution
logsource:
  product: windows
  category: image_load
detection:
  selection:
    ImageLoaded|endswith: '\cnmpaui.dll'
  filter_legitimate:
    Image|startswith:
      - 'C:\Program Files\Canon\'
      - 'C:\Program Files (x86)\Canon\'
  condition: selection and not filter_legitimate
falsepositives:
  - Non-standard Canon software installations (rare)
level: critical

1.3 PlugX Persistence – CanonPrinter Run Key

title: PlugX Persistence via CanonPrinter Registry Run Key
id: f2b1e99a-13ad-48f4-8c91-unc6384-canon-runkey
status: stable
description: >
  Detects PlugX persistence used by UNC6384 via registry Run key masquerading as
  Canon printer software.
author: Threat Intelligence Team
date: 2025-12-01
tags:
  - attack.persistence
  - attack.t1547.001
logsource:
  product: windows
  category: registry_set
detection:
  selection:
    TargetObject|contains: '\Software\Microsoft\Windows\CurrentVersion\Run\CanonPrinter'
  condition: selection
falsepositives:
  - None observed
level: critical

2. YARA-L RULES (Files, Memory & LNK)

2.1 CVE-2025-9491 LNK UI Spoofing (Static)

rule LNK_CVE_2025_9491_UI_Spoofing_UNC6384
{
    meta:
        description = "Detects LNK files exploiting CVE-2025-9491 UI spoofing via whitespace padding"
        author = "Threat Intelligence Team"
        date = "2025-12-01"
        reference = "UNC6384 PlugX Campaign"
    strings:
        $lnk_header = { 4C 00 00 00 01 14 02 00 }
        $spaces = { 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 }
        $ps = "powershell" nocase
        $cmd = "cmd.exe" nocase
        $hidden = "-w hidden" nocase
        $b64 = "FromBase64String" nocase
    condition:
        $lnk_header at 0 and
        #spaces > 20 and
        any of ($ps, $cmd) and
        any of ($hidden, $b64)
}

2.2 PlugX Canon Loader (DLL + RC4 Key)

rule PlugX_Canon_Loader_RC4_UNC6384
{
    meta:
        description = "Detects PlugX loader components using Canon cnmpaui side-loading"
        author = "Threat Intelligence Team"
        date = "2025-12-01"
    strings:
        $canon = "cnmpaui" nocase
        $rc4key = "eQkiwoiuDsvIPsmd"
        $ror13 = { C1 C8 0D }  // ROR 13 instruction pattern
    condition:
        all of ($canon, $rc4key) or $ror13
}

2.3 In-Memory PlugX Payload Detection

rule PlugX_Reflective_Loading_UNC6384
{
    meta:
        description = "Detects PlugX reflective PE loading and API hashing behavior"
        author = "Threat Intelligence Team"
        date = "2025-12-01"
    strings:
        $virtualalloc = "VirtualAlloc" ascii
        $loadlib = "LoadLibraryA" ascii
        $getproc = "GetProcAddress" ascii
        $ror13 = { C1 C8 0D }
    condition:
        $ror13 and 2 of ($virtualalloc, $loadlib, $getproc)
}

3. EDR-SPECIFIC DETECTION (Operational Rules)

3.1 Microsoft Defender for Endpoint (Advanced Hunting – KQL)

DeviceProcessEvents
| where InitiatingProcessFileName == "explorer.exe"
| where FileName in~ ("cmd.exe","powershell.exe","conhost.exe","rundll32.exe")
| where ProcessCommandLine has_any (
    "-w hidden",
    "-WindowStyle Hidden",
    "EncodedCommand",
    "FromBase64String",
    "IEX("
)
| project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName

3.2 Defender – Canon Side-Loading

DeviceImageLoadEvents
| where FileName =~ "cnmpaui.dll"
| where not(FolderPath startswith @"C:\Program Files\Canon")
| project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessFileName

3.3 CrowdStrike Falcon (Custom IOA – Logic)

IF
  ParentProcessName = explorer.exe
AND
  ProcessName IN (cmd.exe, powershell.exe, conhost.exe)
AND
  CommandLine CONTAINS ("-w hidden" OR "EncodedCommand" OR "FromBase64String")
THEN
  Trigger: High Severity Detection
  Tactic: Execution / Initial Access
  Technique: T1204.002

3.4 Elastic EDR (EQL)

process where
  parent.name == "explorer.exe" and
  process.name in ("cmd.exe","powershell.exe","conhost.exe") and
  process.command_line : ("*EncodedCommand*", "*-w hidden*", "*FromBase64String*")

3.5 Network EDR – PlugX C2 Pattern

Detect outbound HTTPS traffic (TCP/443) with:
- User-Agent containing "MSIE 9.0"
- URL paths: /download, /settings, /profile, /bookmark
- Destination domains:
  racineupci[.]org
  dorareco[.]net
  naturadeco[.]net
  cseconline[.]org
  vnptgroup[.]it[.]com
  paquimetro[.]net
  *.cloudfront.net (specific distribution ID)

Final Takeaway

This campaign highlights UNC6384’s continued operational maturity and its ability to rapidly integrate newly disclosed vulnerabilities into real-world espionage operations. By combining UI deception, trusted binary abuse, and memory-resident PlugX execution, the actor effectively bypassed traditional signature-based defenses and user scrutiny.

The evolution of PlugX loaders—from hundreds of kilobytes down to a few kilobytes—demonstrates ongoing investment in stealth and survivability, strongly suggesting continued activity beyond 2025.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.