Unpatched Windows Vulnerability Exploited by State-Sponsored Hackers for Espionage and Cyber Attacks
A critical security flaw in Microsoft Windows, left unpatched since 2017, has been actively exploited by 11 state-sponsored hacking groups from China, Iran, North Korea, and Russia for cyber espionage, data theft, and financially motivated attacks.
The zero-day vulnerability, tracked by Trend Micro’s Zero Day Initiative (ZDI) as ZDI-CAN-25373, allows attackers to execute hidden malicious commands on a victim’s machine by manipulating Windows Shortcut (.LNK) and Shell Link files.
According to Trend Micro researchers Peter Girnus and Aliakbar Zahravi, attackers embed hidden command line arguments within .LNK files to deploy malware while evading detection. By padding these arguments with Line Feed (\x0A) and Carriage Return (\x0D) characters, they bypass security filters and remain undetected.
Security experts have so far identified nearly 1,000 malicious .LNK file artifacts exploiting ZDI-CAN-25373. The attacks have been linked to several well-known cybercriminal and state-backed groups, including:
- Evil Corp (Water Asena)
- Kimsuky (Earth Kumiho)
- Konni (Earth Imp)
- Bitter (Earth Anansi)
- ScarCruft (Earth Manticore)
Major Targets and Global Threat Impact
Cybercriminals exploiting this vulnerability have primarily targeted governments, financial institutions, telecommunications companies, military and defense agencies, think tanks, and private organizations in multiple countries, including the United States, Canada, Russia, South Korea, Vietnam, and Brazil.
Notably, nearly half of the threat actors abusing this flaw originate from North Korea, indicating possible collaboration among different hacking groups within the country’s cyber apparatus.
The .LNK files serve as a delivery mechanism for well-known malware families such as Lumma Stealer, GuLoader, and Remcos RAT. One particularly significant campaign involves Evil Corp leveraging ZDI-CAN-25373 to spread Raspberry Robin malware.
Despite the widespread exploitation, Microsoft has classified the issue as low severity and has no plans to release a fix. Researchers argue that this flaw represents a User Interface (UI) Misrepresentation of Critical Information (CWE-451), meaning the Windows UI fails to alert users about critical commands being executed.
By exploiting ZDI-CAN-25373, attackers can prevent users from seeing important security warnings, making it difficult to assess the risk of executing infected files.
With Microsoft declining to patch the vulnerability, organizations must implement alternative security measures, such as monitoring for suspicious .LNK file activity, restricting the use of shortcut files in critical environments, and deploying advanced endpoint detection solutions to mitigate the risk of compromise.
