A zero-day vulnerability in Microsoft Windows, currently tracked as ZDI-CAN-25373, has been widely exploited by state-sponsored threat actors across the globe. The exploit, which targets the way Windows processes shortcut files (.lnk), has been used in numerous advanced persistent threat (APT) campaigns since 2017, primarily for cyber espionage and data theft, according to The Trend Zero Day Initiative (ZDI).
ZDI’s threat hunting team discovered nearly 1,000 malicious .lnk files leveraging the vulnerability, though the total number of exploitation attempts is likely much higher. The Shell Link (.lnk) files are crafted with hidden command-line arguments that allow attackers to execute malicious commands on victims' machines without detection.
Despite ZDI's submission of a proof-of-concept exploit via its bug bounty program to Microsoft, the company declined to release a security patch.
ZDI’s analysis reveals that 11 state-sponsored APT groups from North Korea, Iran, Russia, and China have exploited this vulnerability for cyber espionage. The threat actors have targeted a wide range of sectors, including government, financial institutions, telecommunications, military, and energy, in regions spanning North America, Europe, Asia, South America, and Australia.
Among the most prolific groups exploiting ZDI-CAN-25373 are North Korean state-sponsored threat actors, including groups like Lazarus (also known as APT38), which have targeted various sectors for intelligence gathering and financial gain. The majority of these exploitation campaigns are motivated by espionage (nearly 70%), while over 20% are driven by financial incentives.
Interestingly, the report highlights a trend within North Korea's cyber landscape, with nearly half of the state-sponsored APT groups leveraging this exploit. The actors have been observed collaborating and sharing techniques and tools.
The exploitation of ZDI-CAN-25373 has impacted several sectors, including private companies, government entities, think tanks, NGOs, telecommunications, and critical infrastructure such as the energy sector. The scale of the campaigns is global, with significant numbers of attacks observed in North America, particularly in the United States and Canada, but also affecting Europe, Asia, South America, Africa, and Australia.
