A newly exposed zero-day vulnerability in the display of LNK files in Microsoft Windows has been actively exploited in cyber-espionage campaigns against European diplomats, according to cybersecurity firm Arctic Wolf.

The flaw, first reported in late August, remains unpatched as Microsoft has not classified it as critical—contrary to assessments by Trend Micro’s Zero Day Initiative (ZDI). Arctic Wolf researchers observed that a China-linked threat group, UNC6384, leveraged the vulnerability in targeted attacks across several European states, including Belgium, Italy, the Netherlands, Serbia, and Hungary, throughout September and October.

The operation began with spear-phishing emails referencing EU Commission meetings, NATO-related workshops, and multilateral coordination events. These messages led victims to malicious URLs, eventually delivering infected LNK files. Once opened, the files exploited the Windows flaw to execute obfuscated PowerShell commands, deploying a multi-stage malware chain that culminated in the installation of PlugX, a well-known remote-access trojan (RAT), through DLL side-loading using legitimate Canon printer utilities.

Arctic Wolf warns that the lack of a Microsoft patch allows this vulnerability to remain exploitable. The firm recommends blocking or restricting the use of .lnk files from unverified sources and disabling automatic shortcut resolution in Windows Explorer across all endpoints.

Security analysts note that the incident highlights the growing sophistication of state-linked cyber espionage targeting diplomatic networks in Europe. If exploitation continues, Microsoft may be forced to reconsider its initial risk assessment.

At present, however, experts argue the situation reflects a worrying trend in what some describe as “security theater”—where acknowledgment outpaces remediation.