Flaw in Windows Shortcut Exploited by Multiple Threat Groups

Attackers are utilizing Windows shortcut (.lnk) files to deceive users into executing malicious code on their systems. Researchers from Trend Micro's Zero Day Initiative (ZDI) have reported that at least 11 threat actors globally have been exploiting this vulnerability, designated as ZDI-CAN-25373, to execute harmful payloads on target machines. The vulnerability allows an attacker to manipulate the metadata within a .lnk file to hide malicious code, making it appear harmless to users. Consequently, unsuspecting users may inadvertently infect their systems with malware.

Image courtesy of SC Media The ZDI team discovered that 70% of the observed attacks were espionage attempts aimed at gathering intelligence, while 20% targeted financial records and account credentials. North Korea's Evil Corp group was responsible for approximately 45% of these attacks. Other state-sponsored groups from China, Russia, and Iran have also been implicated. As noted by the ZDI team, "a significant majority of North Korea's intrusion sets have targeted ZDI-CAN-25373." Microsoft has been notified about the vulnerability, but it has not classified it as a CVE-eligible issue and has declined to release a security patch. They have stated that "Microsoft Defender has detections in place to detect and block this threat activity," and users should exercise caution when downloading files from unknown sources. For further information, visit Trend Micro and SC Media.

Technical Details of ZDI-CAN-25373

The exploit leverages how Windows processes shortcut files. Attackers create malicious .lnk files that can execute hidden commands without the user's knowledge. This is achieved by manipulating the COMMAND_LINE_ARGUMENTS structure, allowing the insertion of additional code that remains undetectable via the standard Windows interface. The threat landscape for this vulnerability includes various malware payloads, such as Malware-as-a-Service (MaaS) and commodity malware. Groups like Evil Corp have incorporated ZDI-CAN-25373 into their attack chains, demonstrating its versatility in executing malicious operations. Organizations in various sectors, including government, finance, telecommunications, and military, are at risk. It is critical for security teams to be vigilant against suspicious .lnk files and investigate any signs of compromise. For more technical insights, refer to Infosecurity Magazine and Cybersecurity Dive.

Global Impact and Microsoft’s Response

The exploitation of ZDI-CAN-25373 has had a worldwide impact, affecting organizations in North America, Europe, Asia, South America, Africa, and Australia. Despite the significant risk, Microsoft has classified the issue as low severity and has not prioritized a patch. Their stance has raised concerns, as security experts argue that unaddressed vulnerabilities can leave organizations exposed to substantial risks. Microsoft has advised that their Defender product can detect and block attacks leveraging this flaw while encouraging users to be cautious about opening .lnk files downloaded from the internet. They continue to monitor the situation and consider potential future releases addressing this issue. For further details on Microsoft's response, check The Hacker News and Recorded Future News.

Emerging Trends and Cybersecurity Marketing

As the landscape of cybersecurity threats evolves, organizations must stay informed about emerging trends and vulnerabilities. GrackerAI, an AI-powered cybersecurity marketing platform, can help organizations transform security news into strategic content opportunities. By automating insight generation from industry developments, GrackerAI allows marketing teams to identify threats and produce technically relevant content that resonates with cybersecurity professionals. For organizations seeking to enhance their cybersecurity marketing efforts and monitor threats effectively, exploring GrackerAI’s offerings is essential. Visit GrackerAI to discover how we can support your cybersecurity marketing needs.

Latest Cybersecurity Trends & Breaking News

March 2025 Patch Tuesday: Overview of Vulnerabilities Malware Operation ‘DollyWay’ Hacked 20,000+ WordPress Sites Globally