China-Linked Hackers Exploit Windows Shortcut Flaw to Target European Diplomats

China-linked APT groups are going old school with new tricks — exploiting Windows shortcut vulnerabilities to target European diplomats in a sophisticated cyber espionage campaign. They're dropping PlugX malware through weaponized LNK files that look legit but execute malicious payloads the moment you click.

The attacks specifically target diplomatic missions across Europe, with threat actors sending phishing emails containing these malicious shortcuts disguised as routine documents or meeting invites. Once executed, the LNK files fetch and deploy PlugX — a modular remote access trojan that's been China's go-to espionage tool for years.

Security researchers tracking the campaign note the attackers are using living-off-the-land techniques, leveraging legitimate Windows components to avoid detection. The LNK files contain hidden commands that download additional payloads from compromised websites, creating a multi-stage infection chain that's tough to spot.

This isn't some random cybercrime op — the targeting of diplomatic entities and use of PlugX strongly points to state-sponsored Chinese threat actors. The campaign shows advanced tradecraft, with attackers carefully researching their targets and crafting convincing lures that match diplomatic communication patterns.

The Windows shortcut vulnerability being exploited allows attackers to execute arbitrary code through specially crafted LNK files, bypassing some security controls. Microsoft has previously patched similar vulnerabilities, but attackers keep finding new ways to weaponize the format.

Organizations are advised to implement application whitelisting, disable unnecessary LNK file execution, and train staff to recognize sophisticated phishing attempts. The campaign underscores that even 'basic' attack vectors remain highly effective when combined with social engineering and careful targeting.