Unpatched Windows Zero-Day Flaw Exploited by 11 State-Sponsored Threat Groups Since 2017
Summary:
A critical, unpatched security flaw in Microsoft Windows, identified as ZDI-CAN-25373, has been actively exploited by 11 state-sponsored threat groups from China, Iran, North Korea, and Russia since 2017. The vulnerability enables attackers to execute hidden malicious commands through crafted .LNK files, facilitating cyber espionage, data theft, and financially motivated attacks. According to security researchers from Trend Micro’s Zero Day Initiative, adversaries use concealed command line arguments within .LNK files, making detection significantly more challenging. The flaw is exploited by padding arguments with whitespace characters such as spaces, horizontal tabs, line feeds, vertical tabs, form feeds, and carriage returns, further obfuscating malicious activity.
To date, nearly 1,000 malicious .LNK artifacts leveraging this vulnerability have been discovered, with most samples linked to prominent cybercriminal and espionage groups, including Evil Corp (Water Asena), Kimsuky (Earth Kumiho), Konni (Earth Imp), Bitter (Earth Anansi), and ScarCruft (Earth Manticore). Notably, almost half of the threat actors exploiting this flaw originate from North Korea, suggesting possible cross-collaboration among different cyber units within Pyongyang’s cyber operations.
Organizations across multiple sectors—including government agencies, financial institutions, think tanks, telecommunications providers, and military/defense agencies—have been targeted in the U.S., Canada, Russia, South Korea, Vietnam, and Brazil. Attackers use the .LNK exploit as a delivery mechanism for known malware families such as Lumma Stealer, GuLoader, and Remcos RAT, with Evil Corp notably using it to distribute the Raspberry Robin malware.
Security Officer Comments:
Despite the severity of these attacks, Microsoft has classified ZDI-CAN-25373 as a low-severity issue and does not plan to release an immediate fix, arguing that the attack method has limited practical use. However, Microsoft Defender has detections in place, and Smart App Control provides additional protection by blocking malicious files downloaded from the internet. Furthermore, Microsoft products such as Outlook, Word, Excel, PowerPoint, and OneNote already block .LNK files by default, triggering security warnings when users attempt to open them.
Suggested Corrections:
IOCs:
https://www.trendmicro.com/content/...despread-apt-campaigns/IOCs_ZDI-CAN-25373.txt
Microsoft acknowledged the findings in a statement, appreciating ZDI’s coordinated vulnerability disclosure and emphasizing existing protections. The company reiterated that while the Windows UI fails to display critical command execution details, the issue does not meet the threshold for an immediate patch under its severity classification guidelines. Microsoft hinted that the vulnerability might be addressed in a future update but advised users to follow best security practices, such as avoiding files from unknown sources and leveraging built-in security measures like Microsoft Defender’s content scanning.
Link(s):
https://thehackernews.com/2025/03/unpatched-windows-zero-day-flaw.html
https://www.trendmicro.com/en_us/research/25/c/windows-shortcut-zero-day-exploit.html
A critical, unpatched security flaw in Microsoft Windows, identified as ZDI-CAN-25373, has been actively exploited by 11 state-sponsored threat groups from China, Iran, North Korea, and Russia since 2017. The vulnerability enables attackers to execute hidden malicious commands through crafted .LNK files, facilitating cyber espionage, data theft, and financially motivated attacks. According to security researchers from Trend Micro’s Zero Day Initiative, adversaries use concealed command line arguments within .LNK files, making detection significantly more challenging. The flaw is exploited by padding arguments with whitespace characters such as spaces, horizontal tabs, line feeds, vertical tabs, form feeds, and carriage returns, further obfuscating malicious activity.
To date, nearly 1,000 malicious .LNK artifacts leveraging this vulnerability have been discovered, with most samples linked to prominent cybercriminal and espionage groups, including Evil Corp (Water Asena), Kimsuky (Earth Kumiho), Konni (Earth Imp), Bitter (Earth Anansi), and ScarCruft (Earth Manticore). Notably, almost half of the threat actors exploiting this flaw originate from North Korea, suggesting possible cross-collaboration among different cyber units within Pyongyang’s cyber operations.
Organizations across multiple sectors—including government agencies, financial institutions, think tanks, telecommunications providers, and military/defense agencies—have been targeted in the U.S., Canada, Russia, South Korea, Vietnam, and Brazil. Attackers use the .LNK exploit as a delivery mechanism for known malware families such as Lumma Stealer, GuLoader, and Remcos RAT, with Evil Corp notably using it to distribute the Raspberry Robin malware.
Security Officer Comments:
Despite the severity of these attacks, Microsoft has classified ZDI-CAN-25373 as a low-severity issue and does not plan to release an immediate fix, arguing that the attack method has limited practical use. However, Microsoft Defender has detections in place, and Smart App Control provides additional protection by blocking malicious files downloaded from the internet. Furthermore, Microsoft products such as Outlook, Word, Excel, PowerPoint, and OneNote already block .LNK files by default, triggering security warnings when users attempt to open them.
Suggested Corrections:
IOCs:
https://www.trendmicro.com/content/...despread-apt-campaigns/IOCs_ZDI-CAN-25373.txt
Microsoft acknowledged the findings in a statement, appreciating ZDI’s coordinated vulnerability disclosure and emphasizing existing protections. The company reiterated that while the Windows UI fails to display critical command execution details, the issue does not meet the threshold for an immediate patch under its severity classification guidelines. Microsoft hinted that the vulnerability might be addressed in a future update but advised users to follow best security practices, such as avoiding files from unknown sources and leveraging built-in security measures like Microsoft Defender’s content scanning.
Link(s):
https://thehackernews.com/2025/03/unpatched-windows-zero-day-flaw.html
https://www.trendmicro.com/en_us/research/25/c/windows-shortcut-zero-day-exploit.html