The spear-phishing campaign uses fake European Commission and NATO-themed lures to trick diplomatic personnel into clicking malicious links.
October 31, 2025 By Kristina Beek
UNC6384, a China-linked threat actor, has been targeting European diplomatic entities in Hungary and Belgium in a cyber-espionage campaign since September.
The group incorporated the exploitation of CVE-2025-9491, a high-severity Windows vulnerability, in its attacks, alongside what Arctic Wolf researchers are referring to as "refined social engineering."
The researchers note that the group's willingness to use vulnerabilities that are publicly known and have been actively exploited by multiple nation-state actors indicates that the group is confident in its success even with increased defender awareness.
The attack chain first starts with spear-phishing emails containing a URL that ultimately delivers malicious LNK files. These files are meant to imitate European Commission meetings, as well as NATO-related workshops and diplomatic events, with authentic details designed to lure targeted individuals.
