CybercrimeMalwareSecurity

Windows Shortcut Flaw Exploited by 11 State-Sponsored Groups

19.03.2025
0 18 2 minutes read

A newly discovered cyber vulnerability, ZDI-CAN-25373, has been actively exploited by 11 state-sponsored threat groups from North Korea, Iran, Russia and China since 2017.

According to the Trend Zero Day Initiative (ZDI) threat hunting team, the vulnerability – which affects Windows Shell Link (.lnk) files – has been leveraged primarily for cyber-espionage and data theft.

The new research, published on Tuesday, uncovered nearly 1000 samples of malicious .lnk files exploiting ZDI-CAN-25373. However, Trend Micro believes the total number of exploitation attempts is much higher.

Despite the significant risk posed by this vulnerability, Microsoft reportedly declined to release a security patch after it was disclosed through Trend ZDI’s bug bounty program.

State-Sponsored APT Groups Exploiting ZDI-CAN-25373

Analysis of the attack campaigns revealed that ZDI-CAN-25373 has been widely abused by both state-backed and independent advanced persistent threat (APT) groups. 

Nearly half of the state-sponsored attacks linked to this vulnerability originate from North Korea. The research also indicates that North Korean threat actors frequently share tools and techniques, highlighting a high level of collaboration within the country’s cyber program.

The primary motivation behind these cyber campaigns is espionage, with approximately 70% of identified intrusions aimed at information theft. Around 20% of the attacks were financially driven, with some groups using cybercrime to fund broader espionage operations.

Related Articles

Read more on cyber-espionage techniques: Chinese Cyber Espionage Jumps 150%, CrowdStrike Finds

Organizations in multiple industries have been targeted by these attacks. The most at-risk sectors include:

  • Government
  • Private enterprises
  • Financial institutions, including cryptocurrency platforms
  • Think tanks and NGOs
  • Telecommunications
  • Military and defense
  • Energy

Technical Details of the Exploit

ZDI-CAN-25373 takes advantage of the way Windows processes shortcut files.

Attackers craft malicious .lnk files that appear harmless to users, disguising hidden commands that can execute malware. By manipulating the COMMAND_LINE_ARGUMENTS structure, attackers can insert additional code that remains unseen in the Windows UI, making detection difficult.

APT groups have used this method to deploy various malware payloads, including Malware-as-a-Service (MaaS) and commodity malware. Some groups, such as Evil Corp, have reportedly incorporated ZDI-CAN-25373 into their attack chains, including Raspberry Robin campaigns.

Global Impact and Microsoft’s Response

Victims of ZDI-CAN-25373-based attacks span North America, Europe, Asia, South America, Africa and Australia. However, the research suggests the scope of affected organizations is even broader than the collected samples indicate.

Despite the global impact of this vulnerability, Microsoft has classified it as low risk and has not prioritized a security patch at this stage.

Organizations operating in high-risk sectors are urged to assess their exposure to ZDI-CAN-25373 and implement immediate security mitigations. Additionally, security teams should remain vigilant for suspicious .lnk files and investigate any signs of compromise.

Image credit: Tada Images / Shutterstock.com

19.03.2025
0 18 2 minutes read
Leave a Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button