weekly

Signals Weekly: The Shortcut That Opened Doors in Europe

A Windows .LNK just became an actual door key. UNC6384 → PlugX at EU diplomats. CISA drops 2 new KEV vulns (CentreStack/Triofox & CWP) + 5 ICS advisories. Patch what you can, isolate what you can’t.

Wes

05 Nov 2025 — 3 min read

Good news: the shortcut works. Bad news: not for you.

AlphaHunt Signals Weekly — Signal > Noise

I’m testing a new ~weekly product. It’s not another “link dump.” It’s a signal-ranked brief for operators who are busy and actually have to act.

TL;DR

[Threat Actors] China-linked UNC6384 abusing Windows LNK vuln (ZDI-CAN-25373) to deliver PlugX against EU diplomatic targets; active Sep–Oct.
[Vulnerabilities] CISA KEV adds Gladinet CentreStack/Triofox CVE-2025-11371 and CWP Control Web Panel CVE-2025-48703; prioritize patching/mitigations.
[ICS/OT] Five new CISA ICS advisories detail remotely exploitable flaws across multiple OEMs; apply vendor fixes and compensating controls.

AlphaHunt

Stop doomscrolling, start decisioning. We chewed through the muck so your team doesn’t have to. → Subscribe! • Forward to your on-call lead.

(Have feedback? Did something resonate with you? Did something annoy you? Just hit reply! :))

Current Stories

TL;DR

[Threat Actors] China-linked UNC6384 using Windows LNK vuln (ZDI-CAN-25373) to deliver PlugX against EU diplomats; multiple EU gov targets, active Sep–Oct.
[Vulnerabilities] CISA adds Gladinet CentreStack/Triofox CVE-2025-11371 and CWP Control Web Panel CVE-2025-48703 to KEV; evidence of active exploitation.
[ICS/OT] CISA issues five ICS advisories (Fuji Electric, Delta, Radiometrics, Survision, IDIS): remotely exploitable issues, vendor patches/mitigations listed.
[Mobile] Android Security Bulletin (Nov 2025): critical System-component RCEs fixed; patch level 2025-11-01 or later required.
[Data Breach] University of Pennsylvania confirms investigation of data breach; FBI notified; scope under assessment.

References

(2025-10-31) UNC6384 Weaponizes ZDI-CAN-25373 Vulnerability to Deploy PlugX Against Hungarian and Belgian Diplomatic Entities
(2025-11-04) CISA Adds Two Known Exploited Vulnerabilities to Catalog
(2025-11-04) CISA Releases Five Industrial Control Systems Advisories
(2025-11-01) Android Security Bulletin—November 2025
(2025-11-03) For the media: Update on cybersecurity incident (University of Pennsylvania)

Suggested Pivots

Which KEV-listed vulns (CVE-2025-11371, CVE-2025-48703) intersect our exposed services, and what interim mitigations apply if patching is deferred?

Why: Translates KEV urgency into concrete risk reduction on our perimeter.
What to expect: Asset-to-CVE mapping, vendor-specific mitigations, and monitoring signatures.

How does UNC6384’s PlugX delivery (LNK+Canon DLL sideload) compare with our EDR detections and email filtering, and where are bypass gaps?

Why: Aligns current tradecraft to our controls to close evasion paths.
What to expect: Testable detection hypotheses, artifact hunts, and filter rule updates.

AlphaHunt Converge - Plug in your Flight Crew

Get intelligence where it counts. No dashboards. No detours. AlphaHunt Converge teases out your intent, reviews the results and delivers actionable intel right inside Slack. We turn noise into signal and analysts into force multipliers.