Unpatched Windows Zero-Day Flaw Exploited by 11 State-Sponsored Threat Groups, Including Chinese, Russian, and North Korean Hackers

Diksha Poonia
Diksha Poonia

Marketing Analyst

 
March 20, 2025 3 min read

Flaw in Windows Shortcut Exploited by Multiple Threat Groups

Attackers are utilizing Windows shortcut (.lnk) files to deceive users into executing malicious code on their systems. Researchers from Trend Micro's Zero Day Initiative (ZDI) have reported that at least 11 threat actors globally have been exploiting this vulnerability, designated as ZDI-CAN-25373, to execute harmful payloads on target machines. The vulnerability allows an attacker to manipulate the metadata within a .lnk file to hide malicious code, making it appear harmless to users. Consequently, unsuspecting users may inadvertently infect their systems with malware.

Windows Shortcut Vulnerability
Image courtesy of SC Media

The ZDI team discovered that 70% of the observed attacks were espionage attempts aimed at gathering intelligence, while 20% targeted financial records and account credentials. North Korea's Evil Corp group was responsible for approximately 45% of these attacks. Other state-sponsored groups from China, Russia, and Iran have also been implicated. As noted by the ZDI team, "a significant majority of North Korea's intrusion sets have targeted ZDI-CAN-25373."

Microsoft has been notified about the vulnerability, but it has not classified it as a CVE-eligible issue and has declined to release a security patch. They have stated that "Microsoft Defender has detections in place to detect and block this threat activity," and users should exercise caution when downloading files from unknown sources.

For further information, visit Trend Micro and SC Media.

Technical Details of ZDI-CAN-25373

The exploit leverages how Windows processes shortcut files. Attackers create malicious .lnk files that can execute hidden commands without the user's knowledge. This is achieved by manipulating the COMMAND_LINE_ARGUMENTS structure, allowing the insertion of additional code that remains undetectable via the standard Windows interface.

The threat landscape for this vulnerability includes various malware payloads, such as Malware-as-a-Service (MaaS) and commodity malware. Groups like Evil Corp have incorporated ZDI-CAN-25373 into their attack chains, demonstrating its versatility in executing malicious operations.

Organizations in various sectors, including government, finance, telecommunications, and military, are at risk. It is critical for security teams to be vigilant against suspicious .lnk files and investigate any signs of compromise.

For more technical insights, refer to Infosecurity Magazine and Cybersecurity Dive.

Global Impact and Microsoft’s Response

The exploitation of ZDI-CAN-25373 has had a worldwide impact, affecting organizations in North America, Europe, Asia, South America, Africa, and Australia. Despite the significant risk, Microsoft has classified the issue as low severity and has not prioritized a patch. Their stance has raised concerns, as security experts argue that unaddressed vulnerabilities can leave organizations exposed to substantial risks.

Microsoft has advised that their Defender product can detect and block attacks leveraging this flaw while encouraging users to be cautious about opening .lnk files downloaded from the internet. They continue to monitor the situation and consider potential future releases addressing this issue.

For further details on Microsoft's response, check The Hacker News and Recorded Future News.

Emerging Trends and Cybersecurity Marketing

As the landscape of cybersecurity threats evolves, organizations must stay informed about emerging trends and vulnerabilities. GrackerAI, an AI-powered cybersecurity marketing platform, can help organizations transform security news into strategic content opportunities. By automating insight generation from industry developments, GrackerAI allows marketing teams to identify threats and produce technically relevant content that resonates with cybersecurity professionals.

For organizations seeking to enhance their cybersecurity marketing efforts and monitor threats effectively, exploring GrackerAI’s offerings is essential. Visit GrackerAI to discover how we can support your cybersecurity marketing needs.

Diksha Poonia
Diksha Poonia

Marketing Analyst

 

Performance analyst optimizing the conversion funnels that turn portal visitors into qualified cybersecurity leads. Measures and maximizes the ROI that delivers 70% reduction in customer acquisition costs.

Related Articles

Optimizing SEO for AI Search: Best Practices and Strategies

Bay Area, CA - Salazar Digital has developed a marketing strategy designed to excel in AI-driven search rankings. As artificial intelligence reshapes how search engines evaluate and rank content, traditional SEO methods alone are insufficient. Salazar Digital combines technical expertise, creative content strategies, and user-centric design to enhance visibility and user engagement.

By Hitesh Kumawat July 29, 2025 4 min read
Read full article

Leveraging AI Analytics for Customer Engagement and Business Growth

Customer Profitability Analysis AI Agents are transforming how businesses understand and maximize customer value. These digital teammates utilize advanced machine learning to deliver real-time insights, predict future profitability, and provide granular analysis of customer profitability. By automating complex data processing and offering actionable recommendations, they streamline what was once a labor-intensive process into a dynamic powerhouse of predictive analytics.

By Govind Kumar July 29, 2025 4 min read
Read full article

Launch of New Master’s Programs in Digital Marketing Worldwide

The University of Technology Bahrain (UTB) has launched its Master of Science in Digital Marketing program, highlighted during a ceremony attended by key figures in the education sector. Dr. Hasan Almulla, President of UTB, expressed gratitude to the Higher Education Council and emphasized the program's relevance in the rapidly evolving field of digital marketing. "The field of digital marketing is witnessing unprecedented growth, and our program is designed to keep up with this transformation," he stated.

By Ankit Lohar July 28, 2025 3 min read
Read full article

400,000 WordPress Sites at Risk: Critical Plugin Flaw Exposed

A serious vulnerability, known as CVE-2025-24000, has been identified in the Post SMTP WordPress plugin, which is utilized by over 400,000 websites. This vulnerability allows low-privileged users to take control of administrator accounts due to broken access controls in the plugin’s REST API. The flaw, rated with a CVSS score of 8.8, has been addressed in version 3.3.0 of the plugin.

By Vijay Shekhawat July 28, 2025 3 min read
Read full article