Update for Houston Businesses: Windows Zero-Day Exploit Being Used by State-Sponsored Hackers Since 2017

A critical Windows vulnerability that has been exploited by state-sponsored hacking groups for years was recently disclosed by security researchers. This zero-day vulnerability, tracked as ZDI-CAN-25373, has been used in widespread attacks targeting organizations across multiple sectors globally. Let’s examine what this vulnerability is, who’s exploiting it, and how your organization can protect itself.

  The Vulnerability: Hidden Command Execution in Windows Shortcuts

ZDI-CAN-25373 is a vulnerability in how Microsoft Windows displays the contents of shortcut (.LNK) files. This security flaw allows attackers to hide malicious command-line arguments within Windows shortcuts, making them invisible to users who inspect the file through the Windows user interface.

Trend Micro’s Zero Day Initiative (ZDI) researchers Peter Girnus and Aliakbar Zahravi uncovered and reported the vulnerability to Microsoft in September 2024. According to their research, the vulnerability has been exploited in the wild since at least 2017.

The flaw is categorized as a “User Interface (UI) Misrepresentation of Critical Information” weakness (CWE-451), which means that the Windows UI fails to display critical security information to the user, potentially allowing malicious content to go undetected.

  How the Exploit Works

The exploitation technique involves crafting Windows shortcut (.LNK) files with specially padded whitespace characters within the COMMAND_LINE_ARGUMENTS structure. Attackers insert whitespace characters such as:

• Space (\x20)
• Horizontal Tab (\x09)
• Line Feed (\x0A)
• Vertical Tab (\x0B)
• Form Feed (\x0C)
• Carriage Return (\x0D)

When a user inspects a malicious .LNK file, Windows cannot display the hidden malicious commands in the properties dialog. This means that even if a cautious user checks the file properties before clicking, they won’t see the dangerous commands that will execute.

Some North Korean threat actors have been observed using extremely large .LNK files (up to 70MB) with substantial amounts of whitespace and junk content to further evade detection.

  Who Is Exploiting This Vulnerability?

According to ZDI’s research, at least 11 state-sponsored hacking groups from North Korea, Iran, Russia, and China have been actively exploiting this vulnerability in cyber espionage campaigns. Notable groups include:

• Evil Corp (Water Asena)
• APT43 (Kimsuky/Earth Kumiho)
• Bitter (Earth Anansi)
• APT37 (ScarCruft/Earth Manticore)
• Mustang Panda
• SideWinder
• RedHotel
• Konni (Earth Imp)

Nearly half of the state-sponsored groups exploiting this vulnerability originate from North Korea, suggesting cross-collaboration and tool sharing among different threat actors within North Korea’s cyber program.

ZDI researchers discovered nearly 1,000 malicious .LNK samples exploiting this vulnerability, but the actual number of exploitation attempts is likely much higher. Their analysis revealed that approximately 70% of the campaigns were focused on espionage and information theft, while 20% were aimed at financial gain.

  Primary Targets

The attacks have targeted organizations worldwide, with a focus on North America, South America, Europe, East Asia, and Australia. The United States has been the most heavily targeted country with more than 300 identified victims.

Sectors at high risk include:

• Government agencies
• Private companies
• Financial institutions (including cryptocurrency firms)
• Think tanks and NGOs
• Telecommunications providers
• Military and defense organizations
• Energy sector

  Microsoft’s Response

When ZDI researchers submitted a proof-of-concept exploit to Microsoft through their bug bounty program, Microsoft classified the issue as “low severity” and declined to address it with an immediate security patch.

In a statement on March 18, 2025, Microsoft acknowledged the report but indicated that the vulnerability “does not meet the bar for immediate servicing under our severity classification guidelines.” However, they mentioned they would “consider addressing it in a future feature release.”

  Microsoft Defender Protection

Despite not issuing a patch, Microsoft has stated that protective measures are in place:

“Microsoft Defender has detections in place to detect and block this threat activity, and the Smart App Control provides an extra layer of protection by blocking malicious files from the Internet.”

Microsoft also pointed out that:

1. Windows identifies shortcut files as potentially dangerous
2. Opening a .LNK file downloaded from the Internet automatically triggers a security warning
3. Microsoft Defender’s content scanning can recognize and identify malicious files using this technique

The company encouraged customers to “exercise caution when downloading files from unknown sources as indicated in security warnings.”

  How to Protect Your Organization

Since Microsoft isn’t planning an immediate patch, organizations should implement these protective measures:

1. Deploy comprehensive endpoint protection with capabilities to detect malicious .LNK files
2. Implement email security filters to block .LNK file attachments
3. Configure Windows Defender or other security solutions to scan and block suspicious shortcut files
4. Enable Smart App Control on Windows systems to block malicious files from the Internet
5. Train users to be cautious about opening files from unknown sources, even if they appear legitimate
6. Scan systems for existing exploitation attempts using the YARA rules provided by ZDI
7. Monitor for suspicious executions of cmd.exe or powershell.exe initiated by .LNK files

  How CinchOps Can Help Secure Your Business

With threat actors actively exploiting ZDI-CAN-25373 and targeting a wide range of sectors, organizations in manufacturing, oil & gas, construction, utilities, legal, and financial services need robust protection against these sophisticated attacks.

CinchOps offers comprehensive cybersecurity solutions that can help protect your organization:

• Advanced Threat Detection: Our solutions can identify and block malicious .LNK files and other attack vectors used by nation-state actors
• Email Security: Filter out dangerous attachments before they reach your users
• Endpoint Protection: Deploy comprehensive protection that can detect and prevent exploitation attempts
• Security Monitoring: 24/7 monitoring for suspicious activities that may indicate an exploitation attempt
• User Training: Equip your team with the knowledge to identify and avoid social engineering attacks
• Incident Response: Rapid assistance if a security incident occurs

Discover more about our enterprise-grade and business protecting cybersecurity services on our Cybersecurity page.

Contact CinchOps today to assess your security posture and implement protective measures against ZDI-CAN-25373 and other critical vulnerabilities.

Remember: The best defense is a proactive security strategy that combines technology, processes, and people to create multiple layers of protection.

 

FREE SECURITY ASSESSMENT