Diplomatic Spies: Chinese APT UNC6384 Targets NATO Hosts with PlugX Malware
In September and October, researchers at Arctic Wolf Labs uncovered a new wave of cyber-espionage targeting the diplomatic institutions of Hungary and Belgium. According to their findings, the campaign was orchestrated by the Chinese threat group UNC6384, a collective previously noted by major technology companies. Back in August, Google had reported similar activity from the same group in Southeast Asia, where attackers distributed forged documents mimicking official agendas of European Council meetings.
The Arctic Wolf investigation revealed that the attacks on European agencies began with spear-phishing emails themed around European Commission meetings, NATO seminars, and international diplomatic conferences. The embedded links in these messages led to a multi-stage malware delivery chain disguised as legitimate event materials. Ultimately, this process enabled the execution of malicious code on the recipients’ systems.
Beyond Hungary and Belgium, the group also targeted Serbian government entities related to aviation, as well as the diplomatic missions of Italy and the Netherlands. Based on the topics of the forged documents, the attackers appeared to focus on cross-border policy, defense cooperation, and security coordination. Belgian institutions, in particular, were of exceptional interest due to the country’s role as host to NATO’s headquarters and numerous EU bodies, making them a valuable target for intelligence-gathering on alliance policies and pan-European decision-making.
According to Arctic Wolf, the expansion of UNC6384’s campaign against European diplomatic infrastructures may signal either an enlarged operational mandate or the involvement of regional subunits specializing in local targets. Nevertheless, the consistent tools and methodologies observed across nations suggest centralized development and coordinated distribution of espionage software among field teams.
At the core of the campaign was the exploitation of a Windows vulnerability, disclosed in March 2025 and cataloged as ZDI-CAN-25373. Through it, attackers executed PowerShell commands to deploy PlugX, a well-known remote access tool long associated with Chinese cyber-espionage operations. Arctic Wolf described this as a “tactical evolution” of the group—combining fresh exploitation techniques with more sophisticated social engineering tactics.
The researchers noted that Trend Micro had already reported the same flaw being exploited as a zero-day by multiple state-linked actors from China, Iran, and North Korea, who used it for large-scale data theft and reconnaissance. In the case of UNC6384, the group’s rapid adaptation—integrating the vulnerability only six months after public disclosure—underscores its ability to monitor security advisories systematically or possibly access vulnerability data ahead of public release.
The version of PlugX used in these attacks enables persistent system access, surveillance of diplomatic communications and scheduling, document extraction, and credential theft for lateral network movement. Known since 2008, PlugX remains under active development, spawning variants such as Korplug, TIGERPLUG, and SOGU. The latest samples, compiled only months ago, retain classic espionage capabilities—keylogging, file transfer, and process monitoring—while exhibiting a significantly smaller forensic footprint, complicating detection and analysis.
Arctic Wolf links UNC6384 to the notorious Mustang Panda group, citing overlapping infrastructure, tools, and target profiles. PlugX has long been one of Mustang Panda’s hallmark implants. In January, the U.S. Department of Justice coordinated an operation to remove PlugX from over 4,000 American systems, curbing a global Mustang Panda campaign that had infected around 100,000 computers across 170 countries. Among the victims were the African Union, telecom operators, Asian heads of state, the President of Myanmar, and the Indonesian intelligence service.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
