Chinese cyber group breached Hungarian EU diplomats’ systems
A China-linked hacking group has targeted European diplomatic networks — including Hungarian systems — in a coordinated cyber-espionage campaign this autumn. The attackers exploited a recently disclosed Windows vulnerability and deployed spyware capable of accessing confidential diplomatic material.
New windows flaw exploited by the attackers
According to a detailed report by Arctic Wolf Labs, the operation began in September and continued through October, focusing on diplomatic missions and government networks. The attackers sought sensitive diplomatic information, including internal briefings, negotiation documents and confidential communications.
The group exploited a freshly weaponised Windows vulnerability and installed PlugX, a long-used espionage tool that enables remote access, data exfiltration and covert surveillance. Once inside, the malware allowed the attackers to take full control of compromised systems.
“The attack begins with personalised emails that appear to relate to diplomatic events. When opened, the attachment triggers a recently identified Windows vulnerability, giving the attackers access to the system. This lets the malware run silently, enabling data theft and long-term monitoring,” the researchers noted.
The UNC6384
UNC6384 is a relatively new China-affiliated threat actor first documented by Google’s threat analysis unit. The group has historically targeted diplomatic entities, initially in Southeast Asia before expanding operations to Europe.
Their tactics include:
- highly tailored spear-phishing emails
- traffic redirection and decoy websites
- digitally-signed installers
- memory-resident malware designed to evade detection
PlugX — a tool widely used by Chinese-nexus hacking groups for over a decade — remains a core component of their operations due to its flexibility and stealth.
Hungary also in the crosshairs
The report does not specify what information the attackers may have accessed or the extent of any damage, but the nature of the campaign suggests that the goal was not disruption, but intelligence gathering. Hungary’s role in EU decision-making, NATO membership, and active relations with major powers make it a natural intelligence target.
Such operations rarely aim to disrupt services. Instead, attackers seek early access to classified background notes and negotiation stances — information that can offer strategic insight into EU-level decisions and Hungary’s foreign-policy directions.
Cybersecurity implications
Experts warn that rapid patching and user awareness remain the most effective defences. In diplomatic environments, targeted phishing attempts continue to be the primary entry point — a single convincing invitation or attachment can compromise an entire system.
In practice, this means:
- security updates cannot be delayed
- links and attachments require strict vigilance
- cyber-risk management must be part of everyday routines, not only an IT task
Arctic Wolf notes the campaign shows how quickly advanced groups weaponise new vulnerabilities: even brief delays in patching can carry real national-security risks.
Cyber attacks across Europe
European government networks have faced rising pressure from China-, Russia- and North Korea-linked groups in recent years.
In late September, major airports — including London Heathrow, Brussels and Berlin — reported disruptions linked to an external IT provider, causing delays and flight cancellations. Around the same time, several Western European ministries and public portals experienced short outages after detecting suspicious network activity.
The incidents highlight that diplomatic networks are not the only targets — broader government and infrastructure systems also face constant pressure. As a result, all institutions handling sensitive information, not only foreign ministries, need up-to-date cyber protection.
Cover image: depositphotos.com