UNC6384 Weaponizes ZDI-CAN-25373 Vulnerability to Deploy PlugX Against Hungarian and Belgian Diplomatic Entities

Arctic Wolf Labs has identified an active cyber espionage campaign by Chinese-affiliated threat actor UNC6384 targeting European diplomatic entities in Hungary, Belgium, and additional European nations during September and October 2025.

Key Findings:

• UNC6384 rapidly adopted the ZDI-CAN-25373 Windows vulnerability within six months of its March 2025 disclosure.
• This campaign targets Hungarian and Belgian diplomatic entities, with expansion across the broader European diplomatic community.
• Social engineering leverages diplomatic conference details including European Commission border facilitation meetings and NATO defense procurement workshops.
• The multi-stage attack chain employs DLL side-loading of legitimate signed Canon printer utilities.
• PlugX malware deployed via in-memory execution establishes a persistent remote-access capability within targeted environments, enabling covert intelligence collection.
• C2 infrastructure includes racineupci[.]org, dorareco[.]net, naturadeco[.]net, and additional domains.
• The CanonStager loader evolved from approximately 700KB to 4KB in size between September and October 2025, indicating active development.

To read the complete article see: Arctic Wolf 📰.