European diplomats under threat as Chinese-backed hackers exploit unpatched Windows zero-day

A sophisticated cyberattack leveraging a Windows zero-day vulnerability has targeted European diplomatic institutions, raising concerns over the escalation of digital espionage and the urgent need for patching critical vulnerabilities.

A recent complex cyberattack has highlighted the expanding scope of global electronic espionage, as reports reveal that hackers exploited a critical Windows zero-day vulnerability to infiltrate devices belonging to European diplomats and sensitive government institutions. The attack leveraged a sharply targeted spear-phishing campaign disguised as official documents related to NATO and European Commission meetings. Upon opening these files, malicious code exploited the vulnerability to install remote access tools that granted hackers full control over the affected devices, allowing them to intercept diplomatic communications and exfiltrate confidential information.

According to technical analysis by cybersecurity researchers at Arctic Wolf Labs, the attacks were orchestrated by a Chinese state-backed hacking group known as Mustang Panda (UNC6384), which has a documented history of cyber espionage operations targeting government entities in East Asia. In the latest campaign, the group expanded its focus to target diplomatic entities in several European countries, including Hungary, Belgium, Serbia, Italy, and the Netherlands. The attackers utilized the CVE-2025-9491 vulnerability, a flaw in the Windows shortcut file format that allows arbitrary code execution. This vulnerability was initially disclosed in March 2025 and has been actively exploited since 2017 by at least eleven state-sponsored hacking groups from countries such as North Korea, Iran, Russia, and China.

The spear-phishing emails contained malicious LNK files that masqueraded as documents linked to official diplomatic events, such as NATO defense procurement workshops and European Commission border facilitation meetings. When opened, these files deployed the PlugX remote access trojan (RAT), a malware tool that provides persistent and covert access to compromised systems. The attack’s sophistication included the use of social engineering tactics with authentic themes to increase the likelihood of victim interaction. Moreover, the malware was encrypted and only decrypted during the final stage of the attack, demonstrating advanced evasion techniques.

Despite the ongoing active exploitation of this vulnerability and the high-profile nature of the targets, Microsoft has not yet issued a definitive security patch to close the flaw. Reports indicate that the company categorized the vulnerability as “not meeting the bar for servicing” and declined to release an update after being presented with a proof-of-concept exploit by security researchers. This absence of a technical fix has raised significant concerns among cybersecurity experts, who warn that these attacks represent a new stage of “digital shadow wars”—cyber-espionage operations that target diplomatic missions ahead of sensitive summits and international meetings.

Industry analysts also suggest the scale and coordination of the attacks imply either a large, well-organized intelligence operation or the deployment of multiple parallel teams using shared tools but targeting different countries. The consistency in tactics across various targeted nations indicates centralized development and operational security standards managed likely at a high level within the threat actor’s infrastructure.

This ongoing campaign underlines both the geopolitical ramifications and the evolving technical complexity of cyber-espionage. It also exposes vulnerabilities in the cybersecurity posture of even the most sensitive international institutions, underscoring the urgent need for comprehensive threat mitigation strategies and prompt vendor response. As diplomatic relations increasingly rely on digital communication, the continued exploitation of unpatched vulnerabilities leaves critical government data at significant risk.

📌 Reference Map:

• Paragraph 1 – ^[1] Okaz, ^[2] BleepingComputer
• Paragraph 2 – ^[3] Arctic Wolf, ^[5] CyberNews
• Paragraph 3 – ^[2] BleepingComputer, ^[3] Arctic Wolf, ^[5] CyberNews
• Paragraph 4 – ^[4] BleepingComputer, ^[6] Ars Technica
• Paragraph 5 – ^[6] Ars Technica, ^[3] Arctic Wolf
• Paragraph 6 – ^[1] Okaz, ^[3] Arctic Wolf, ^[5] CyberNews
• Paragraph 7 – ^[1] Okaz, ^[2] BleepingComputer

Source: Fuse Wire Services