A China-linked threat actor, identified as UNC6384 (also known as Mustang Panda), is actively exploiting a Windows zero-day vulnerability, CVE-2025-9491, in targeted attacks against European diplomatic entities. The campaign aims to conduct cyber espionage, monitoring communications and exfiltrating sensitive data from compromised systems. This activity highlights the ongoing risk posed by unpatched vulnerabilities in critical operating systems.
The cyber-espionage operation leverages spearphishing emails that contain malicious LNK files, designed to exploit the high-severity vulnerability. Initially observed targeting diplomatic entities in Hungary and Belgium, the campaign has expanded its scope to include Serbian government agencies and diplomatic organizations in Italy and the Netherlands, according to analysis by Arctic Wolf Labs and StrikeReady. Successful exploitation leads to the deployment of the PlugX remote access trojan (RAT), establishing persistence and facilitating data theft. For more information on similar malware, you can read our article on Understanding Remote Access Trojans.
The attack chain begins with spearphishing emails, often themed around diplomatic events like NATO defense procurement workshops and European Commission meetings, as reported by BleepingComputer. Opening the malicious LNK file triggers the CVE-2025-9491 flaw, enabling arbitrary code execution. Arctic Wolf Labs assesses with high confidence that the campaign is attributable to UNC6384. Their attribution is based on multiple converging lines of evidence, including shared malware tooling, tactical procedures, targeting alignment, and infrastructure overlaps with previously documented operations.
CVE-2025-9491, also tracked as ZDI-CAN-25373, resides within the handling of Windows .LNK files. This vulnerability allows attackers to conceal malicious command-line arguments within the COMMAND_LINE_ARGUMENTS structure using padded whitespaces. This technique facilitates remote code execution without overt user knowledge. While user interaction, such as opening a malicious file, is necessary for successful exploitation, the social engineering tactics employed in spearphishing significantly increase the likelihood of compromise. Explore other Social Engineering Techniques used by threat actors.
Beyond UNC6384, Trend Micro threat analysts had previously reported in March 2025 that CVE-2025-9491 was already being widely exploited. At least eleven state-sponsored groups and cybercrime gangs were leveraging this vulnerability, including Evil Corp, APT43 (Kimsuky), Bitter, APT37, SideWinder, RedHotel, and Konni. These groups deployed diverse malware payloads such as Ursnif, Gh0st RAT, and Trickbot, as Trend Micro stated. This widespread exploitation underscores the severity and broad impact of the vulnerability.
As of this report, Microsoft has not released a security update to patch CVE-2025-9491, a fact Arctic Wolf Labs confirmed. In the absence of an official patch, network defenders are advised to implement mitigation strategies. Arctic Wolf Labs specifically recommends restricting or blocking the use of Windows .LNK files and blocking connections from identified command and control (C2) infrastructure associated with the campaign.
The active exploitation of CVE-2025-9491 by sophisticated threat actors continues to pose a significant risk to targeted organizations and highlights the persistent challenge of zero-day vulnerabilities in the current threat landscape.