At least one Belgian diplomat
October 31, 2025
•[ cyber-espionage, spear-phishing, vulnerability ]
Arctic Wolf Labs and other researchers detailed a Chinese state-aligned cyber-espionage campaign in which UNC6384 targeted European diplomatic entities, notably in Hungary and Belgium, between September and October 2025. The group sent spear-phishing emails referencing real EU and NATO events that carried malicious Windows shortcut (.LNK) files exploiting the ZDI-CAN-25373 (CVE-2025-9491) vulnerability to execute obfuscated PowerShell, unpack a signed Canon utility and side-load a PlugX remote access trojan. The resulting implants, communicating over HTTPS to attacker-controlled domains, provide long-term access for reconnaissance, keylogging, command execution and collection of sensitive diplomatic documents and credentials aligned with PRC strategic intelligence priorities.
Serbian Civil Aviation Directorate
October 17, 2025
•[ cyber-espionage, phishing, malware ]
A cyber-espionage campaign linked to suspected Chinese threat actors compromised application servers at Serbias Civil Aviation Directorate. Attackers used phishing emails to deploy Sogu, PlugX, and Korplug malware, gaining persistent access for intelligence collection. No operational disruption was reported.
Undisclosed Hungarian Diplomatic Entities
September 1, 2025
•[ cyber-espionage, phishing, malware ]
China-linked UNC6384 conducted a cyber-espionage campaign beginning Sept 2025 against Hungarian diplomatic entities using EU/NATO-themed phishing emails with malicious .LNK attachments exploiting ZDI-CAN-25373 to deploy PlugX via DLL side-loading. Arctic Wolf Labs attributed the activity to UNC6384.
Undisclosed Belgian Diplomatic Entities
September 1, 2025
•[ cyber-espionage, phishing, malware ]
China-linked UNC6384 conducted a cyber-espionage campaign beginning Sept 2025 against Belgian diplomatic entities using EU/NATO-themed phishing emails with malicious .LNK attachments exploiting ZDI-CAN-25373 to deploy PlugX via DLL side-loading. Arctic Wolf Labs attributed the activity to UNC6384.
Kurdish Government and Media Institutions
May 15, 2025
•[ cyber-espionage, phishing, data leak ]
Iran-linked threat actor MuddyWater (MOIS) conducted cyber-espionage operations against Kurdish government and media infrastructure in Iraq during MayJune 2025 using phishing and web-shells to steal credentials and internal documents; reported Jun 25 2025.
Arab Civil Aviation Organization (ACAO)
February 4, 2024
•[ sql injection, data leak, cyber-espionage ]
Threat actors exploited a vulnerable web application belonging to the Arab Civil Aviation Organization via SQL injection, exfiltrating staff and member credentials and communications. The stolen data, published on dark-web forums on February 4 2024, was identified by Resecurity, which assessed the activity as part of a cyber-espionage campaign targeting aviation-safety specialists across multiple Arab states.
