A Windows shortcut vulnerability, identified as ZDI-CAN-25373, has been exploited in widespread cyber espionage campaigns by state-sponsored groups from North Korea, Iran, Russia, and China since at least 2017. Security researchers Peter Girnus and Aliakbar Zahravi from Trend Micro’s Zero Day Initiative (ZDI) reported that 11 advanced persistent threat (APT) groups have leveraged the exploit primarily for espionage and data theft.
“As geopolitical tensions and conflicts escalate, an increase in the sophistication of threat actors and the utilisation of zero-day vulnerabilities is anticipated to rise, as both nation-states and cybercriminals endeavour to gain a competitive advantage over their adversaries,” said the researchers. “This growing prevalence of zero-day exploitation necessitates the implementation of comprehensive security solutions to safeguard critical assets and industries effectively.”
Trend ZDI’s analysis uncovered nearly 1,000 malicious Shell Link (.lnk) files exploiting the vulnerability, with actual exploitation attempts likely exceeding this number. The exploit was submitted to Microsoft through Trend ZDI’s bug bounty programme, but Microsoft declined to release a security patch.
APT groups employing the vulnerability include a mix of state-sponsored, state-adjacent, and independent cybercriminal entities. While many groups have a documented history of exploiting zero-day vulnerabilities, a significant proportion of the attacks have been attributed to North Korean threat actors. Girnus and Zahravi noted extensive collaboration and tool-sharing among North Korean hacking groups, which have actively targeted ZDI-CAN-25373 across multiple campaigns.
Analysis of intrusion sets linked to the exploit indicates that nearly 70% of campaigns focused on espionage and information theft, while over 20% were financially motivated. Some threat actors engaged in espionage have also conducted financially driven attacks to support their operations.
The targeted sectors span government institutions, private enterprises, and financial firms, including cryptocurrency-related businesses, think tanks, telecommunications, military and defence, and the energy sector. Organisations operating in these industries face an elevated risk and are urged to implement security measures against ZDI-CAN-25373. Trend ZDI also recommended vigilance against .lnk files, which are commonly exploited in such attacks.
The geographical impact of the exploit is broad, with the majority of analysed malicious files originating from North America, particularly the US and Canada. However, evidence suggests that APT groups have also targeted victims in Europe, Asia, South America, Africa, and Australia.
Malware deployment and attack techniques
Attackers exploiting ZDI-CAN-25373 have deployed a variety of malware payloads. Some of these were identified through Trend Micro’s threat telemetry, while others were linked to known malware-as-a-service (MaaS) operations. Notably, the cybercriminal group Evil Corp was found using the exploit in its Raspberry Robin campaigns.
The vulnerability lies in how Windows processes shortcut (.lnk) files, allowing attackers to embed malicious command-line arguments. These arguments remain hidden when viewed through the Windows user interface, enabling the execution of harmful code upon interaction with the shortcut. Attackers have also manipulated icon displays and file extensions to deceive users into executing compromised files.
Despite its widespread use in cyberattacks, Microsoft has categorised ZDI-CAN-25373 as a low-severity vulnerability and has no immediate plans to issue a security patch. According to the researchers, this classification leaves a significant number of organisations at risk, particularly as geopolitical tensions drive an increase in cyber operations leveraging zero-day vulnerabilities.
Read more: CISA orders federal agencies to patch Windows MSHTML zero-day bug
