UNC6384 Actors Exploited Windows LNK 0-Day Flaw (CVE-2025-9491) to Deploy PlugX Malware

Published Date: December 4, 2025
Category: ShadowOpsIntel
Share:

CVE-2025-9491 is a remote code execution (RCE) vulnerability affecting Microsoft Windows. It arises from the way Windows displays LNK (shortcut) file properties, enabling attackers to hide malicious commands from user view. First reported by Trend Micro’s Zero Day Initiative (ZDI) as ZDI-CAN-25373, it has been actively exploited in the wild in espionage campaigns by Chinese APT group UNC6384, targeting European diplomatic entities.

Severity: High

Vulnerability Details

  • CVE ID: CVE-2025-9491
  • CVSS Score: 7.0
  • Name/Type: Microsoft Windows LNK File UI Misrepresentation Remote Code Execution Vulnerability.
  • Root Cause: .LNK files can contain extremely long command lines (up to 32k characters) that are truncated in the Windows Properties dialog (only ~260 characters visible), hiding malicious commands with whitespace or padding.
  • User Misrepresentation: Even IT-savvy users may believe they’re executing a harmless command due to the incomplete Target string visibility.
  • Attack Vector: Requires user interaction — opening a malicious .LNK file, typically delivered via spearphishing in a .zip.

Real-World Exploitation

  • Threat Actor: Chinese-affiliated APT group UNC6384, related to Mustang Panda / TEMP.Hex.
  • Campaign Scope:
    • Countries Targeted: Hungary, Belgium, Serbia, Italy, Netherlands
    • Sectors Targeted: Diplomatic, Government
    • Timeframe: September – October 2025
  • Malware Used: PlugX (SOGU.SEC variant), delivered via multi-stage LNK chain involving DLL side-loading through legitimate Canon printer utilities.

Exploitation Flow

  • Attacker sends .zip archive with .LNK file themed around legitimate documents.
  • User opens the .LNK file, seeing only a truncated/benign-looking command.
  • Execution triggers obfuscated PowerShell, downloading a .tar containing:
    • Canon utility EXE (legitimate signed binary),
    • Malicious DLL (sideloaded by the EXE),
    • RC4-encrypted PlugX payload (cnmplog.dat)
  • The PlugX RAT runs in-memory to evade detection.
  • Persistence is set via HKCU\Software\Microsoft\Windows\CurrentVersion\Run.

Microsoft And 0patch Responses

  • Microsoft initially said “does not meet servicing bar”; later silently fixed UI to show full target strings in November 2025 update.
  • 0patch created a micropatch to block execution of .LNK files with targets >260 characters in Explorer.

Recommendations

  1. Ensure all Windows systems are fully updated. The vulnerability was reportedly patched silently in the November 2025 Windows Updates to force the full command to be visible in the LNK properties, mitigating the UI deception technique.
  2. For legacy or unsupported systems, users can utilize 0patch’s micropatch that blocks .LNK files with Target fields >260 characters from executing in Windows Explorer.
  3. Disable Windows Explorer’s LNK resolution in Group Policy where not needed (especially on high-risk systems).
  4. Monitor PowerShell execution triggered from .LNK files – especially those using obfuscation or downloading remote payloads.
  5. Inspect outbound traffic for unusual WinHTTP-based requests using:
    • Suspicious user agents (e.g., Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 10.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729))
    • Epoch-based URL parameters:
      /download?t=1760103992&LeQa=PKDugp&VE=ZY6tyOYZWNxK2a
      /settings?t=1760106491&D=XAl0cJ&WB=qKVsKW7KF&xRcH=dQ3SFEgr0v&78=dAi0sahua)
  6. Utilize Windows Defender Application Control (WDAC) or AppLocker policies to prevent or restrict the execution of files from untrusted or temporary locations (like the Downloads or Temp folders), as these are common staging areas for malware delivered via LNK files.
  7. Enforce MFA across all services. If credentials are stolen by PlugX, MFA acts as a critical barrier to lateral movement and further compromise.
  8. Quarantine or detonate in a sandbox any .Ink, .hta, .url, .vbs, .js, .ps1, or suspicious archive delivered over email. Apply URL rewriting & detonation for links pointing to executable/script-like content. Block password-protected archives unless business-justified.
  9. Block the IOCs at their respective controls
    https://www.virustotal.com/gui/collection/edcc19524f13d5273d118780b4d8fc2aa5bc087f7439b5d08403f18247cd3923/iocs

Source:

  • https://blog.0patch.com/2025/12/microsoft-silently-patched-cve-2025.html
  • https://arcticwolf.com/resources/blog/unc6384-weaponizes-zdi-can-25373-vulnerability-to-deploy-plugx/
  • https://msrc.microsoft.com/update-guide/advisory/ADV25258226
  • https://www.zerodayinitiative.com/advisories/ZDI-25-148/
  • https://www.cyberbit.com/campaign/cve-2025-9491/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

Ampcus Cyber
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.