"The files are designed to exploit ZDI-CAN-25373 to trigger a multi-stage attack chain that culminates in the deployment of the PlugX malware using DLL side-loading. PlugX is a remote access trojan that's also referred to as Destroy RAT, Kaba, Korplug, SOGU, and TIGERPLUG. UNC6384 was the subject of a recent analysis by Google Threat Intelligence Group (GTIG), which described it as a cluster with tactical and tooling overlaps with a hacking group known as Mustang Panda."
"The threat actor has been observed delivering a memory-resident variant of PlugX called SOGU.SEC. The latest attack wave uses phishing emails with diplomatic lures to entice recipients into opening a bogus attachment that's designed to exploit ZDI-CAN-25373, a vulnerability that has been put to use by multiple threat actors as far back as 2017 to execute hidden malicious commands on a victim's machine. It's officially tracked as CVE-2025-9491 (CVSS score: 7.0)"
UNC6384 conducted spear-phishing campaigns against diplomatic organizations in Hungary, Belgium, Italy, and the Netherlands, and government agencies in Serbia during September–October 2025. Phishing emails contained embedded URLs that led to delivery of malicious .LNK shortcut files themed around European Commission meetings, NATO workshops, and multilateral diplomatic coordination. The LNK files exploit ZDI-CAN-25373 (CVE-2025-9491) to trigger a multi-stage chain culminating in PlugX deployment via DLL side-loading. Observed PlugX variants include a memory-resident SOGU.SEC. The vulnerability has been abused by multiple clusters since 2017.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]