Windows shortcut exploit abused as zero-day in widespread APT campaigns

Windows shortcut exploit abused as zero-day in widespread APT campaigns

A zero-day vulnerability in Microsoft Windows, currently tracked as ZDI-CAN-25373, has been widely exploited by state-sponsored threat actors across the globe. The exploit, which targets the way Windows processes shortcut files (.lnk), has been used in numerous advanced persistent threat (APT) campaigns since 2017, primarily for cyber espionage and data theft, according to The Trend Zero Day Initiative (ZDI).

ZDI’s threat hunting team discovered nearly 1,000 malicious .lnk files leveraging the vulnerability, though the total number of exploitation attempts is likely much higher. The Shell Link (.lnk) files are crafted with hidden command-line arguments that allow attackers to execute malicious commands on victims' machines without detection.

Despite ZDI's submission of a proof-of-concept exploit via its bug bounty program to Microsoft, the company declined to release a security patch.

ZDI’s analysis reveals that 11 state-sponsored APT groups from North Korea, Iran, Russia, and China have exploited this vulnerability for cyber espionage. The threat actors have targeted a wide range of sectors, including government, financial institutions, telecommunications, military, and energy, in regions spanning North America, Europe, Asia, South America, and Australia.

Among the most prolific groups exploiting ZDI-CAN-25373 are North Korean state-sponsored threat actors, including groups like Lazarus (also known as APT38), which have targeted various sectors for intelligence gathering and financial gain. The majority of these exploitation campaigns are motivated by espionage (nearly 70%), while over 20% are driven by financial incentives.

Interestingly, the report highlights a trend within North Korea's cyber landscape, with nearly half of the state-sponsored APT groups leveraging this exploit. The actors have been observed collaborating and sharing techniques and tools.

The exploitation of ZDI-CAN-25373 has impacted several sectors, including private companies, government entities, think tanks, NGOs, telecommunications, and critical infrastructure such as the energy sector. The scale of the campaigns is global, with significant numbers of attacks observed in North America, particularly in the United States and Canada, but also affecting Europe, Asia, South America, Africa, and Australia.

Back to the list

Latest Posts

Russia-linked Coldriver hackers deploy new espionage malware in targeted attacks

Russia-linked Coldriver hackers deploy new espionage malware in targeted attacks

LOSTKEYS is designed to steal sensitive files, harvest system information, and exfiltrate details about running processes.
8 May 2025
Russia-aligned operation manipulates audio and images to impersonate experts

Russia-aligned operation manipulates audio and images to impersonate experts

The operation primarily focused on undermining NATO support for Ukraine and spreading false narratives to disrupt domestic politics in EU member states.
7 May 2025
Global network of DDoS-for-hire services dismantled in international police op

Global network of DDoS-for-hire services dismantled in international police op

The suspects are believed to have administered six now-defunct websites, which operated as stresser or booter services.
7 May 2025