UNC6384 Exploits Windows Zero-Day to Target European Diplomats
TL;DR
Chinese-linked group UNC6384 targets European diplomats with a Windows shortcut exploit to deploy PlugX malware. According to Arctic Wolf, the campaign leverages a Windows shortcut vulnerability and culminates in PlugX remote access trojan (RAT) deployment via DLL side-loading of signed Canon utilities.
Campaign Overview
UNC6384 blends social engineering with rapid vulnerability adoption. Spearphishing emails reference authentic diplomatic events to entice recipients into launching malicious LNK files. Exploitation of ZDI-CAN-25373 enables covert command execution through whitespace padding in the LNK COMMAND_LINE_ARGUMENTS structure.
Upon execution, the weaponized LNK invokes obfuscated PowerShell to decode and extract a .tar archive into %AppData%\\Local\\Temp, displays a legitimate PDF decoy, and runs a signed Canon printer assistant binary (cnmpaui.exe). UNC6384 then abuses Windows DLL search order to side-load a malicious cnmpaui.dll, which decrypts an RC4-protected blob (cnmplog.dat) and reflectively loads PlugX into the trusted Canon process. The resulting in-memory execution grants persistence, command execution, file operations, keylogging, and reconnaissance. Arctic Wolf researchers noted the samples showed the CanonStager loader shrinking from ~700 KB to ~4 KB between early September and October 2025, indicating active refactoring to reduce forensic footprint and evade detection.
Technical Analysis: Malicious LNK File
The attack chain initiates with a weaponized LNK file, delivered via spearphishing. The LNK file exploits ZDI-CAN-25373, allowing covert command execution via whitespace padding in the COMMAND_LINE_ARGUMENTS structure.
| Field | Value |
|---|---|
| Name | Agenda_Meeting 26 Sep Brussels.lnk |
| SHA-256 | 911cccd238fbfdb4babafc8d2582e80dcfa76469fa1ee27bbc5f4324d5fca539 |
| File Type | .lnk file |
| Size | 2.58KB |
Upon execution, the LNK file invokes PowerShell with an obfuscated command that decodes a tar) archive file named rjnlzlkfe.ta, saving it to the AppData\Local\Temp directory. The PowerShell command then extracts the tar archive using tar.exe -xvf and initiates execution of the contained cnmpaui.exe file. Simultaneously, a PDF decoy document is displayed, showing the authentic agenda for a European Commission meeting that was scheduled for September 26, 2025, in Brussels.
DLL Side-Loading
The extracted tar archive) contains three files enabling the attack chain through DLL side-loading, abusing the Windows DLL search order.
The primary executable is a legitimate Canon printer assistant utility (cnmpaui.exe) with a valid digital signature from Canon Inc..
| Field | Value |
|---|---|
| Name | cnmpaui.exe |
| SHA-256 | 4ed76fa68ef9e1a7705a849d47b3d9dcdf969e332bd5bcb68138579c288a16d3 |
| File Type | PE32 executable |
| Size | 352.67KB |
| Certificate Issuer | Symantec Class 3 SHA256 Code Signing CA |
| Certificate Valid From | July 9, 2015 |
| Certificate Valid Until | April 19, 2018 (expired) |
When cnmpaui.exe executes, it searches for cnmpaui.dll in its current directory before checking system directories. The threat actor exploits this behavior by planting a malicious cnmpaui.dll in the same directory.
| Field | Value |
|---|---|
| Name | cnmpaui.dll |
| SHA-256 | e53bc08e60af1a1672a18b242f714486ead62164dda66f32c64ddc11ffe3f0df |
| File Type | PE32 DLL |
| Size | 4.00KB |
The malicious DLL functions as a lightweight loader designed to decrypt and execute the third file in the archive, cnmplog.dat, which contains the encrypted PlugX payload.
Encrypted Payload and In-Memory Execution
The cnmplog.dat file is an RC4-encrypted blob containing the PlugX malware. The malicious DLL decrypts this file using a hardcoded 16-byte RC4 key and loads the resulting PlugX payload directly into the address space of the legitimate cnmpaui.exe process.
| Field | Value |
|---|---|
| Name | cnmplog.dat |
| SHA-256 | c9128d72de407eede1dd741772b5edfd437e006a161eecfffdf27b2483b33fc7 |
| File Type | Encrypted blob |
| Size | 817.09KB |
| Encryption | RC4 with 16-byte hardcoded key |
| RC4 Key | eQkiwoiuDsvIPsmd |
This completes the deployment of PlugX malware running stealthily within a legitimate signed process.
PlugX Malware Analysis
PlugX is a Remote Access Trojan (RAT) first observed in 2008. It provides comprehensive remote access capabilities including command execution, keylogging, file upload and download operations, persistence establishment, and extensive system reconnaissance functions.
- SHA-256: 3fe6443d464f170f13d7f484f37ca4bcae120d1007d13ed491f15427d9a7121f
- MD5: dc1dba02ab1020e561166aee3ee8f5fb
- Compilation Timestamp: Friday, September 5, 2025, 05:15:45 UTC
- File Type: x86 PE DLL
All PlugX variants observed in this campaign export the MSGInitialize function. The PE header of the decrypted DLL contains shellcode that invokes this export at a specific offset. Analysis reveals the exported MSGInitialize implements control-flow flattening by using a central dispatcher loop controlled by a state variable.
Beneath the obfuscation layer, MSGInitialize walks the Process Environment Block (PEB) and Loader Data Table to enumerate loaded modules. Once target modules are identified, the same hashing algorithm is applied to export names within those modules, comparing hashes to additional embedded constants to locate specific APIs required for loading and mapping portable executable (PE) files into memory.
| Hash Value | API Function | Module |
|---|---|---|
| 0x8C394D89 | NtProtectVirtualMemory | ntdll.dll |
| 0xD33BCABD | NtAllocateVirtualMemory | ntdll.dll |
| 0x91AFCA54 | VirtualAlloc | kernel32.dll |
| 0x7946C61B | VirtualProtect | kernel32.dll |
| 0x7C0DFCAA | GetProcAddress | kernel32.dll |
| 0xEC0E4E8E | LoadLibraryA | kernel32.dll |
| 0xE54CC407 | LdrGetProcedureAddress | ntdll.dll |
| 0xEB6C8389 | RtlAnsiStringToUnicodeString | ntdll.dll |
| 0x7CC3283D | RtlInitAnsiString | ntdll.dll |
| 0x534C0AB8 | NtFlushInstructionCache | ntdll.dll |
| 0xB0988FE4 | LdrLoadDll | ntdll.dll |
Following API resolution, the code uses Reflective Code Loading to map the PE into memory and finalizes memory protections.
Anti-Analysis and Evasion Techniques
The malware implements extensive anti-analysis measures, including heavy code obfuscation, multiple anti-debugging checks (e.g., CheckRemoteDebuggerPresent), and numerous encrypted strings that are only decrypted at runtime. The code demonstrates heavy obfuscation to prevent analysis, with control-flow flattening implemented by using a central dispatcher loop controlled by a state variable, patterns commonly associated with commercial obfuscators.
Persistence Mechanism
The malware creates a hidden directory in one of several possible locations within the user profile and copies all extracted files to maintain persistent access. The malware establishes persistence through registry modification, creating a value named “CanonPrinter” in the registry key Software\Microsoft\Windows\CurrentVersion\Run with the path set to the copied cnmpaui.exe location.
Each time the system launches, the directory name may change and all files are transferred to the new location, complicating forensic analysis and detection based on static file paths.
Command and Control Communication
Upon successful deployment, the malware establishes communication with C2 infrastructure using WinHTTP APIs.
![Debugger output showing WinHttp.WinHttpConnect call preparing connection to the threat actor’s C2 server, dorareco[.]net.](/wp-content/uploads/2025/10/unc6384-fig09b.png)
Image courtesy of Arctic Wolf
Initial check-in requests incorporate epoch timestamps) and randomized URL parameters that likely contain victim fingerprinting data.
Analysis indicates the epoch timestamp provides temporal context while additional parameters likely convey system fingerprinting information.
Mitigation
To mitigate risks associated with this campaign, organizations should:
- Restrict or disable
.lnkfile execution from untrusted sources. - Block known C2 domains and monitor DNS and web traffic for related connection attempts.
- Hunt for Canon binaries (
cnmpaui.exe) running from non-standard directories, especially when paired withc_nmpaui.dllorcnmplog.dat. - Tighten DLL side-loading controls through application allow-listing and restricted DLL search paths.
- Enhance behavioral detections for reflective loading, RC4 decryption activity, and abnormal WinHTTP network behavior.
- Reinforce phishing awareness training, particularly during high-profile or politically sensitive events.
- Consider managed detection and response (MDR) for continuous monitoring and rapid containment if 24×7 security operations are unavailable.
