Windows LNK Flaw Campaign (CVE-2025-9491)

Targeted Sectors

·         European diplomatic and governmental organizations

Countries

·         Global

o   Campaigns linked to China, Iran, North Korea, and Russia

BLUF

Multiple major threat groups are actively exploiting a critical vulnerability in Windows LNK (.lnk shortcut) files to deliver various malware payloads globally. The flaw allows attackers to hide malicious commands and bypass security prompts via deceptive shortcut files. Microsoft has released a patch after months of active abuse.

Date of First Reported Activity

Activity observed for several months prior to the December 4, 2025 patch release.

Date of Last Reported Activity Update

·         December 4, 2025

APT Names

·         UNC6384

·         Mustang Panda (overlaps with UNC6384, also known as TEMP.Hex)

Associated Criminal Organization Names

·         Unspecified cybercriminal organizations

CVE-2025-9491

Windows Shell Link Vulnerability)

CVSS 3.1 Score/vector

·         (7.5) /AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Vector:

·         (4.6) AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Nessus ID

·         Not applicable at this time

Is this on the KEV list?

·         Yes

Patching/Mitigation Data:

Patch Release Date

·         December 4, 2025

Patch Information

·         hxxps://msrc.microsoft.com/update-guide/advisory/ADV25258226

·         Apply the latest Windows security updates through Windows Update or the Microsoft Security Response Center (MSRC) portal.

IOCs

·         Network: C2 domains (e.g., racineupci[.]org, dorareco[.]net).

·         File Hashes/Names: Malicious .LNK files, cnmpaui.exe (legitimate Canon binary used for DLL side-loading), cnmpaui.dll (malicious DLL), cnmplog.dat (encrypted PlugX payload).

·         Registry Keys: Persistence is often achieved via Software\Microsoft\Windows\CurrentVersion\Run\CanonPrinter run key

TTPs

·         T1566.001: Spearphishing Attachment (Delivery of malicious LNK file).

·         T1204.002: User Execution (User opening the malicious LNK file).

·         T1027: Obfuscated Files or Information (Using whitespace padding to hide commands in LNK file properties).

·         T1059.001: Command and Scripting Interpreter: Command Line Interface (Execution of hidden commands).

Email Samples

·         Not known at this time.

Malware Names

·         Primarily PlugX Remote Access Trojan

Malware Sample

sha256

cnmplog.dat

a7d12712673a4e3b6d62a9d84f124e62689da12f0a3ee6009369ecf469ce8182

cnmpaui.dll

ee9295fa36e29808ff36beb55be328b68d82f267d2faa54db26e0bf86b78fa56

cnmpaui.exe

4ed76fa68ef9e1a7705a849d47b3d9dcdf969e332bd5bcb68138579c288a16d3

URL Link to sha256

cnmplog.dat

·         hXXps://www.virustotal.com/gui/file/a7d12712673a4e3b6d62a9d84f124e62689da12f0a3ee6009369ecf469ce8182/community

cnmpaui.dll

·         hxxps://www.virustotal.com/gui/file/ee9295fa36e29808ff36beb55be328b68d82f267d2faa54db26e0bf86b78fa56

cnmpaui.exe

·         hxxps://www.virustotal.com/gui/file/4ed76fa68ef9e1a7705a849d47b3d9dcdf969e332bd5bcb68138579c288a16d3

Suggested rules / potential hunts

These are indicator rules they are likely to be noisy

Suricata Detection Rules

·         Monitor for PlugX User-Agent

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"CVE-2025-9491 PlugX related User-Agent detected"; flow:established; content:"User-Agent|3a| Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 10.0;"; http_header; classtype:malware-cnc; sid:your_new_sid; rev:1;);

·         Monitor known C2 IPs and domains: Threat actors used IP 144.126.202.227

alert ip $HOME_NET any -> 144.126.202.227 any (msg:"CVE-2025-9491 PlugX C2 IP detected"; classtype:trojan-activity; sid:your_new_sid; rev:1;);

SentinelOne Hunts

·         Unusual Process Tree Activity

Monitor for explorer.exe or rundll32.exe spawning unusual child processes, especially command shells (cmd.exe) or scripting engines (powershell.exe, wscript.exe, cscript.exe).

Look for powershell.exe command lines with long, obfuscated strings or those that involve downloading and executing content from the internet.

·         DLL Side-loading

Monitor for the execution of legitimate, signed binaries (e.g., cnmpaui.exe - a Canon printer utility) from unusual directories (e.g., AppData\Roaming\SamsungDriver) that load a malicious DLL (e.g., cnmpaui.dll).

·         Persistence Mechanisms

Hunt for the creation of unusual registry run keys, such as Software\Microsoft\Windows\CurrentVersion\Run\CanonPrinter.

·         File Artifacts

Scan endpoints for the presence of files with specific names or in suspicious directories (e.g., AppData\Roaming\SamsungDriver, cnmplog.dat, cnmpaui.exe)

Splunk Hunts

·         PowerShell Execution from LNK Parentage (requires endpoint logging like Sysmon)

EventCode=4688 OR EventCode=1 "powershell.exe" | where ParentImage ends with "\explorer.exe" OR ParentImage ends with "\rundll32.exe" | where CommandLine like "%http%" OR CommandLine like "%download%" OR len(CommandLine) > 260

·         Creation of Suspicious Files/Directories

index=your_index (EventCode=11 OR EventCode=4656) ("AppData\\Roaming\\SamsungDriver" OR "cnmplog.dat" OR "cnmpaui.dll")

·         Registry Key Creation for Persistence

index=your_index (EventCode=12 OR EventCode=13) RegKey="*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\CanonPrinter"

·         Network Activity to Known IOCs

index=your_network_index dest_ip=144.126.202.227 OR http_user_agent="Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 10.0;*"

·         Anomalous Outbound Connections

index=your_network_index | stats count by dest_ip, dest_port | where count > 5000

Delivery Method

Spear-phishing emails containing crafted LNK files.

Email Samples

Spearphishing emails use highly realistic lures such as invitations to diplomatic events, European Commission meetings, or NATO summits. They display a decoy PDF document to the user after the malicious activity is triggered in the background.

References

Microsoft

·         hxxps://msrc.microsoft.com/update-guide/advisory/ADV25258226

NVD

·         hxxps://nvd.nist.gov/vuln/detail/CVE-2025-9491

Arctic Wolf Labs

·         hxxps://arcticwolf.com/resources/blog/unc6384-weaponizes-zdi-can-25373-vulnerability-to-deploy-plugx/

The Hacker News

·         hxxps://thehackernews.com/2025/12/microsoft-silently-patches-windows-lnk.html

VirusTotal

·         hXXps://www.virustotal.com/gui/file/a7d12712673a4e3b6d62a9d84f124e62689da12f0a3ee6009369ecf469ce8182/community

·         hxxps://www.virustotal.com/gui/file/ee9295fa36e29808ff36beb55be328b68d82f267d2faa54db26e0bf86b78fa56

·         hxxps://www.virustotal.com/gui/file/4ed76fa68ef9e1a7705a849d47b3d9dcdf969e332bd5bcb68138579c288a16d3