{"id":224355,"date":"2025-11-01T01:09:58","date_gmt":"2025-11-01T06:09:58","guid":{"rendered":"https:\/\/lifeboat.com\/blog\/2025\/11\/china-linked-hackers-exploit-windows-shortcut-flaw-to-target-european-diplomats"},"modified":"2025-11-01T01:09:58","modified_gmt":"2025-11-01T06:09:58","slug":"china-linked-hackers-exploit-windows-shortcut-flaw-to-target-european-diplomats","status":"publish","type":"post","link":"https:\/\/lifeboat.com\/blog\/2025\/11\/china-linked-hackers-exploit-windows-shortcut-flaw-to-target-european-diplomats","title":{"rendered":"China-Linked Hackers Exploit Windows Shortcut Flaw to Target European Diplomats"},"content":{"rendered":"<p style=\"padding-right: 20px\"><a class=\"aligncenter blog-photo\" href=\"https:\/\/lifeboat.com\/blog.images\/china-linked-hackers-exploit-windows-shortcut-flaw-to-target-european-diplomats2.jpg\"><\/a><\/p>\n<p>The activity targeted diplomatic organizations in Hungary, Belgium, Italy, and the Netherlands, as well as government agencies in Serbia, Arctic Wolf <a href=\"https:\/\/arcticwolf.com\/resources\/blog\/unc6384-weaponizes-zdi-can-25373-vulnerability-to-deploy-plugx\/\" rel=\"noopener\" target=\"_blank\">said<\/a> in a technical report published Thursday.<\/p>\n<p>\u201cThe attack chain begins with spear-phishing emails containing an embedded URL that is the first of several stages that lead to the delivery of malicious LNK files themed around European Commission meetings, NATO-related workshops, and multilateral diplomatic coordination events,\u201d the cybersecurity company said.<\/p>\n<p>The files are designed to exploit ZDI-CAN-25373 to trigger a multi-stage attack chain that culminates in the deployment of the <a href=\"https:\/\/redcanary.com\/threat-detection-report\/threats\/plugx\/\" rel=\"noopener\" target=\"_blank\">PlugX<\/a> malware using DLL side-loading. PlugX is a <a href=\"https:\/\/www.darktrace.com\/blog\/plugx-malware-a-rats-race-to-adapt-and-survive\" rel=\"noopener\" target=\"_blank\">remote access trojan<\/a> that\u2019s also referred to as Destroy RAT, Kaba, Korplug, SOGU, and TIGERPLUG.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The activity targeted diplomatic organizations in Hungary, Belgium, Italy, and the Netherlands, as well as government agencies in Serbia, Arctic Wolf said in a technical report published Thursday. \u201cThe attack chain begins with spear-phishing emails containing an embedded URL that is the first of several stages that lead to the delivery of malicious LNK files [\u2026]<\/p>\n","protected":false},"author":427,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[34,1490],"tags":[],"class_list":["post-224355","post","type-post","status-publish","format-standard","hentry","category-cybercrime-malcode","category-government"],"_links":{"self":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/224355","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/users\/427"}],"replies":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/comments?post=224355"}],"version-history":[{"count":0,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/224355\/revisions"}],"wp:attachment":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/media?parent=224355"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/categories?post=224355"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/tags?post=224355"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}