At least 11 state-backed hacking groups from North Korea, Iran, Russia, and China have been using a newly discovered Windows vulnerability (ZDI-CAN-25373) for data theft and cyber espionage since 2017.
Security researchers from Trend Micro's Zero Day Initiative (ZDI) identified nearly 1,000 malicious Shell Link (.lnk) samples exploiting this flaw, but Microsoft declined to release a security patch, stating it "does not meet the bar for servicing."
The vulnerability allows attackers to execute arbitrary code by exploiting how Windows displays shortcut (.lnk) files, hiding malicious command-line arguments within them using padded whitespaces.
Threat actors, including APT43, Mustang Panda, and Evil Corp, have used this exploit in widespread attacks across North America, South America, Europe, East Asia, and Australia, mainly for espionage and data theft.
Malware such as Ursnif, Gh0st RAT, and Trickbot has been deployed through these campaigns, often leveraging malware-as-a-service (MaaS) platforms to increase the threat's reach.
A similar flaw, CVE-2024-43461, which concealed HTA files using encoded braille whitespace characters, was patched by Microsoft in September 2024 after being exploited by the Void Banshee APT group.
Microsoft has acknowledged the latest vulnerability but has not assigned it a CVE-ID or committed to an immediate fix, stating they may address it in a future release.
For now, Microsoft Defender has detections in place, and users are advised to be cautious when downloading files from untrusted sources to mitigate the risk.
Logging you in...
Loading IntenseDebate Comments...