A newly discovered security vulnerability in Microsoft Windows is being exploited by 11 state-sponsored groups, primarily from China, Iran, North Korea, and Russia, for data theft, espionage, and financially motivated campaigns, with the first reported incidents dating back to 2017.
The vulnerability, identified as ZDI-CAN-25373 by Trend Micro’s Zero Day Initiative (ZDI), is a zero-day flaw that enables attackers to execute malicious commands on a victim’s machine by utilizing specially crafted Windows Shortcut or Shell Link (.LNK) files.
According to security researchers Peter Girnus and Aliakbar Zahravi, “the attacks leverage hidden command line arguments within .LNK files to execute malicious payloads, complicating detection.” In an analysis shared with The Hacker News, they noted that “the exploitation of ZDI-CAN-25373 exposes organizations to significant risks of data theft and cyber espionage.”
The exploitation technique involves padding the arguments with Line Feed (x0A) and Carriage Return (x0D) characters to evade detection, making it challenging for security systems to identify the malicious activity.
Researchers have discovered nearly 1,000 .LNK file artifacts exploiting ZDI-CAN-25373, with the majority linked to prominent threat actors such as Evil Corp (Water Asena), Kimsuky (Earth Kumiho), Konni (Earth Imp), Bitter (Earth Anansi), and ScarCruft (Earth Manticore).
Notably, nearly half of the 11 state-sponsored threat actors abusing the flaw originate from North Korea, indicating potential cross-collaboration among the different threat clusters operating within Pyongyang’s cyber apparatus.
Telemetry data reveals that the primary targets of attacks exploiting the vulnerability include governments, private entities, financial organizations, think tanks, telecommunication service providers, and military/defense agencies located in the United States, Canada, Russia, South Korea, Vietnam, and Brazil.
In the analyzed attacks, the .LNK files served as a delivery vehicle for known malware families like Lumma Stealer, GuLoader, and Remcos RAT, among others. A notable example is the exploitation of ZDI-CAN-25373 by Evil Corp to distribute Raspberry Robin malware.
Despite the severity of the issue, Microsoft has classified the vulnerability as low severity and does not plan to release a fix for it.
According to the researchers, “ZDI-CAN-25373 is an example of User Interface (UI) Misrepresentation of Critical Information (CWE-451),” which means that the Windows UI fails to present critical information to the user.
By exploiting ZDI-CAN-25373, threat actors can prevent end-users from viewing critical information related to evaluating the risk level of a file, making it a significant concern for organizations.
