Diplomatic entities in Belgium and Hungary hacked in China-linked spy campaign

Hungarian and Belgian diplomatic entities were allegedly targeted by a well-known Chinese hacking group in September and October. 

Incident responders at Arctic Wolf Labs discovered an active cyber-espionage campaign they attributed to a China-affiliated threat actor tracked as UNC6384. In August, Google spotlighted a nearly identical campaign by the same group targeting diplomats in Southeast Asia with documents mimicking EU Council meeting agendas.

Arctic Wolf tracked the latest campaign over the last two months, writing in a blog post on Thursday that the attacks began with spearphishing emails centered on European Commission meetings, NATO-related workshops and multilateral diplomatic coordination events. 

In addition to the Hungarian and Belgian targets, Arctic Wolf said it saw documents targeting Serbian government aviation departments, as well as other diplomatic entities in Italy and the Netherlands. The diplomatic targets focused specifically on cross-border policy, defense cooperation and multilateral coordination activities.

The researchers noted that Belgium's role as host nation for NATO headquarters and numerous EU institutions “makes Belgian diplomatic entities valuable intelligence targets for monitoring alliance activities and policy development.” Arctic Wolf did not specify what those entities were.

The targeting indicates interest in NATO and EU defense initiatives, procurement decisions and military readiness assessments as well as European supply chain resilience, infrastructure development and trade policy evolution, the researchers explained. 

“The expansion to European diplomatic targeting observed in this campaign indicates either broadened operational mandate or deployment of additional operational teams with geographic specialization,” Arctic Wolf said. “The consistency in tooling and techniques across both geographic theaters suggests centralized tool development with regional operational deployment.”

Panda’s PlugX

The emails contained embedded URLs that eventually led to the delivery of malicious files that exploit a Windows vulnerability disclosed in March 2025. The attacks culminate in the use of PlugX — a brand of malware used by many Chinese nation-state groups. 

Arctic Wolf argued that the campaign “represents a tactical evolution from the group's previously documented operations, introducing exploitation of a recently disclosed Windows vulnerability alongside refined social engineering approaches.”

The study links to research from Trend Micro that the Windows bug was being exploited as a zero-day by multiple government-backed hacking groups in North Korea, China, Russia and Iran — enabling widespread espionage and data theft activities. 

Arctic Wolf noted that the exploitation of the vulnerability was concerning because it showed that UNC6384 was able to adopt the vulnerability into its tool set just six months after it was publicly disclosed. 

The researchers warned that the timeline “suggests either direct monitoring of vulnerability disclosures with rapid development cycles, or potential pre-disclosure awareness through other intelligence channels.”

PlugX allowed the hackers to establish long-term access to a victim’s system and enabled them to exfiltrate classified documents, monitor policy discussions in real time, surveil diplomatic calendars and travel plans, and collect credentials that would enable further access to diplomatic networks.

The malware has been used in attacks since 2008 and remains a popular tool among Chinese espionage groups. It has evolved significantly since 2008 and several variations have been created, including versions known as Korplug, TIGERPLUG, and SOGU. Arctic Wolf found versions that have been developed and refined in the last six months.

It enables threat actors to conduct keylogging, upload and download files,, establish persistence and closely monitor system functions. 

The latest version has been streamlined significantly, maintaining “essential functionality while dramatically reducing forensic footprint and analysis surface area,” Arctic Wolf said.

According to the company, UNC6384 has ties to Mustang Panda — one of China’s most prolific espionage groups. Both groups share operational tools, targets, overlapping infrastructure and more. 

In January, the Justice Department removed PlugX from more than 4,000 U.S. computers in an operation aimed at stopping a Mustang Panda campaign. The action was part of a global effort to address the spread of PlugX, which had been found on nearly 100,000 devices in about 170 countries. 

Mustang Panda was previously accused by the European Union’s cybersecurity agency of targeting European businesses and organizations. The group was even seen targeting diplomatic entities in Russia. 

Their other victims include the African Union, several telecommunications companies, prime ministers across Asia, Myanmar’s president, Indonesia’s intelligence agency and more.