Mitigation: In the absence of a patch, organizations worried about .LNK attacks should consider blocking .LNK files or disabling their execution in Windows Explorer, Arctic Wolf advised.”This should be put in place across all Windows systems, prioritizing endpoints used by personnel with access to sensitive diplomatic or policy information. While this vulnerability was disclosed in March 2025, adoption by threat actors within months of disclosure necessitates urgent monitoring and countermeasures,” it said.Organizations could also block the command and control (C2) domains used by attackers, although these will change over time. In addition, Arctic Wolf recommends that IT teams search for the presence of Canon printer assistant utilities such as cnmpaui.exe, which are part of the campaign’s exploit chain. “The breadth of targeting across multiple European nations within a condensed timeframe suggests either a large-scale coordinated intelligence collection operation or deployment of multiple parallel operational teams with shared tooling but independent targeting,” Arctic Wolf noted, adding that the fact that UNC6384 had jumped on the flaw so quickly since it was made public earlier in 2025 suggested that the group had access to advanced capabilities and resources.It’s not as if attacks exploiting Windows shortcut files in different ways are terribly new or innovative. During 2025, they’ve been abused in different ways by Russian cyber-campaigns against Ukraine, Chinese attacks using the Remcos RAT, and to target companies in the United Arab Emirates (UAE). In June the technique was used to hide payloads in attacks abusing the Cloudflare Tunnel service. The issue is really that this type of flaw, which exploits an otherwise useful feature, is simply difficult to patch.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4082701/chinese-hackers-target-western-diplomats-using-hard-to-patch-windows-shortcut-flaw.html
