Two significant vulnerabilities in Windows have come to light, capturing the attention of cybersecurity experts and businesses alike. One of these is a zero-day vulnerability that has been lurking in the shadows since 2017, while the other represents a critical flaw that Microsoft has struggled to address effectively in recent attempts. Both vulnerabilities are currently being exploited in widespread attacks across the Internet.
The zero-day vulnerability remained undetected until March, when security firm Trend Micro revealed its existence. According to their findings, this vulnerability has been actively exploited by as many as 11 advanced persistent threat (APT) groups, often linked to nation-states, targeting specific individuals or organizations. Trend Micro identified the vulnerability, initially labeled ZDI-CAN-25373, as a means for these groups to deploy various post-exploitation payloads across nearly 60 countries, with the United States, Canada, Russia, and Korea being the most frequently targeted.
A large-scale, coordinated operation
Despite the passage of seven months, Microsoft has yet to release a patch for this vulnerability, which originates from a flaw in the Windows Shortcut binary format. This component simplifies the process of opening applications or accessing files by allowing users to invoke them through a single binary file, eliminating the need for manual navigation. Recently, the designation for this vulnerability was updated to CVE-2025-9491.
On Thursday, Arctic Wolf, another security firm, reported that a China-aligned threat group, known as UNC-6384, has been actively exploiting CVE-2025-9491 in attacks targeting various European nations. The final payload of these attacks is a well-known remote access trojan called PlugX. To enhance the stealth of the malware, the exploit encrypts the binary file using the RC4 format until the final stage of the attack.
Arctic Wolf commented on the situation, stating, “The breadth of targeting across multiple European nations within a condensed timeframe suggests either a large-scale coordinated intelligence collection operation or deployment of multiple parallel operational teams with shared tooling but independent targeting.” They further noted that the consistency in tradecraft across diverse targets indicates a centralized approach to tool development and operational security standards, even if the execution is distributed among various teams.