LNK files Archives

Winsage

June 18, 2025

XDSpy Threat Actors Leverages Windows LNKs Zero-Day Vulnerability to Attack Windows System Users

A cyber espionage campaign attributed to the XDSpy threat actor has been discovered, exploiting a zero-day vulnerability in Windows shortcut files identified as “ZDI-CAN-25373.” This vulnerability allows attackers to conceal executed commands within specially crafted shortcut files. XDSpy has primarily targeted government entities in Eastern Europe and Russia since its activities became known in 2020. Researchers from HarfangLab found malicious LNK files exploiting this vulnerability in mid-March, revealing issues with how Windows parses LNK files. The infection begins with a ZIP archive containing a malicious LNK file, which triggers a complex Windows shell command to execute malicious components while displaying a decoy document. This command extracts and executes a first-stage malware called “ETDownloader,” which establishes persistence and downloads a second-stage payload known as “XDigo.” The XDigo implant, written in Go, collects sensitive information and employs encryption for data exfiltration. This campaign represents an evolution in XDSpy's tactics, combining zero-day exploitation with advanced multi-stage payloads.

Winsage

June 18, 2025

XDSpy Threat Actors Exploit Windows LNK Zero-Day Vulnerability to Target Windows System Users

The XDSpy threat actor is exploiting a Windows LNK zero-day vulnerability (ZDI-CAN-25373) to target governmental entities in Eastern Europe and Russia since March 2025. This campaign involves a multi-stage infection chain deploying the XDigo implant, developed in Go. Attackers use spearphishing emails with ZIP archives containing crafted LNK files that exploit the vulnerability. Upon execution, these files sideload a malicious C# .NET DLL named ETDownloader, which establishes persistence and retrieves the XDigo payload from specific domains. XDigo is a data collection implant capable of file scanning, clipboard capture, and screenshot acquisition, communicating with command-and-control servers. The campaign targets Belarusian governmental entities and employs advanced tactics, including anti-analysis checks and encryption for data exfiltration. Indicators of compromise include specific SHA-256 hashes for ZIP archives, LNK files, the ETDownloader, and XDigo malware, along with associated distribution and command-and-control domains.

Winsage

April 30, 2025

Unpatched Windows Shortcut Vulnerability Let Attackers Execute Remote Code

Security researcher Nafiez has discovered a vulnerability in Windows LNK files that allows remote code execution without user interaction. Microsoft has chosen not to address this issue, stating it does not meet their security servicing criteria. The vulnerability exploits specific components of LNK files, enabling attackers to create malicious shortcuts that initiate silent network connections when a user accesses a folder containing them. The exploit involves manipulating the HasArguments flag, EnvironmentVariableDataBlock, and embedding UNC paths. Microsoft defends its inaction by citing the Mark of the Web (MOTW) feature as adequate protection, despite concerns from security experts about its effectiveness. Previous vulnerabilities in LNK files have been addressed by Microsoft, and the availability of proof-of-concept code raises fears of potential exploitation by malicious actors.

Winsage

April 17, 2025

Hackers Exploiting NTLM Spoofing Vulnerability in Wild to Compromise Systems

Cybercriminals are exploiting a vulnerability in Windows systems known as CVE-2025-24054, which involves NTLM hash disclosure through spoofing techniques. This flaw allows attackers to leak NTLM hashes, leading to privilege escalation and lateral movement within networks. It is triggered when a user extracts a ZIP archive containing a malicious .library-ms file, causing Windows Explorer to initiate SMB authentication requests that expose NTLMv2-SSP hashes. Exploitation of this vulnerability began shortly after a security patch was released on March 11, 2025, with campaigns targeting government and private institutions in Poland and Romania. These campaigns utilized spear-phishing emails containing malicious ZIP archives, which, when interacted with, leaked NTLM hashes. The malicious files included various types designed to initiate SMB connections to attacker-controlled servers, allowing for pass-the-hash attacks and privilege escalation. The stolen hashes were sent to servers in several countries, indicating potential links to state-sponsored groups. One campaign involved Dropbox links that exploited the vulnerability upon user interaction. Microsoft has recommended immediate patching, enhancing network defenses, user education, network segmentation, and regular security audits to mitigate risks associated with this vulnerability.

Winsage

March 24, 2025

Critical Vulnerability in Microsoft Windows Exposed: State-Sponsored Hackers Exploit Link Files for Espionage

A vulnerability in Microsoft Windows' handling of link files (.lnk) has been exploited by state-sponsored hackers from North Korea, Russia, Iran, and China for espionage and data theft. This flaw allows malicious payloads to be embedded in seemingly harmless links, enabling remote execution of arbitrary code and unauthorized access to compromised systems. Nearly 1,000 malicious .lnk files have been identified, with around 70% of attacks focused on espionage and information theft, particularly targeting government and financial institutions. The malicious commands are difficult to detect, complicating protection efforts for organizations. ZDI recommends increased awareness and the use of endpoint and network protection tools to mitigate the threat.

Winsage

March 22, 2025

Windows Shortcut Zero-Day Under Active Attack

A zero-day vulnerability in Windows shortcut (.lnk) files has been exploited by state-sponsored hacking groups since 2017, allowing attackers to execute arbitrary code on compromised systems. Microsoft has classified this vulnerability as “not meeting the bar servicing,” meaning no security updates will be issued. Trend Micro tracks it as ZDI-CAN-25373 and has linked it to cyber-espionage campaigns involving 11 nation-state actors from countries like North Korea, Iran, Russia, and China. Nearly 1,000 malicious .lnk samples exploiting this flaw have been identified, with many more potentially undetected. Attackers often use phishing emails to deliver these malicious files, which can download additional malware, granting full control over the compromised machine. Organizations are advised to scan their systems and implement security measures against this vulnerability.

Winsage

March 21, 2025

Nation-state groups hit hundreds of organizations with Microsoft Windows zero-day

Trend Micro has identified a zero-day vulnerability in Microsoft Windows, tracked as ZDI-CAN-25373, which allows attackers to execute hidden malicious commands through .lnk files. This vulnerability has been exploited since 2017, primarily by state-sponsored groups, affecting at least 300 organizations and thousands of devices. North Korean groups APT43 and APT37 are mainly responsible for these exploits, with nearly half of the attacks linked to them. Other state-backed groups from Iran, Russia, and China account for about 20% of the attacks. Microsoft has advised users to be cautious with files from unverified sources but does not classify the issue as severe enough for immediate action. Trend Micro's research shows that attackers disguise malicious .lnk files as different file types, using hidden command line arguments. Microsoft acknowledges the research but downplays the implications, while experts suggest that addressing the vulnerability may require significant changes to .lnk file functionality.

Winsage

March 20, 2025

China, Russia, North Korea Hackers Exploit Windows Security Flaw

Almost a dozen state-sponsored threat groups from nations including China, Russia, Iran, and North Korea are exploiting a security vulnerability in Microsoft Windows, identified as ZDI-CAN-25373, to conduct espionage and gather sensitive information. This vulnerability affects how Windows handles .lnk files, allowing attackers to execute hidden malicious commands. Since 2017, these groups have targeted government, military, and critical infrastructure organizations globally, with 11 state-sponsored groups identified, primarily focusing on espionage (70%) and financial motives (20%). North Korea accounts for 45.5% of the exploitation, with Iran and Russia at 18.2% each, and China at 18.1%. The United States has experienced the most attacks (343 incidents), followed by Canada (39), Russia (25), and South Korea (23). Despite being notified, Microsoft does not plan to issue a patch for this vulnerability, categorizing it as "low severity."

Winsage

March 20, 2025

11 nation-state groups exploit unpatched Microsoft zero-day

Since 2017, at least 11 state-sponsored threat groups have exploited a Microsoft zero-day vulnerability in Windows shortcut files for data theft and cyber espionage. Researchers from Trend Micro's Trend Zero Day Initiative have identified nearly 1,000 malicious .lnk files utilizing this flaw, designated as ZDI-CAN-25373, which allows attackers to execute hidden commands on victims' devices. The attacks involve various payloads, including the Lumma infostealer and Remcos remote access Trojan, with North Korean operatives responsible for over 45% of the incidents, while Iran, Russia, and China account for approximately 18% each. Notable advanced persistent threat groups involved include Evil Corp, Kimsuky, Bitter, and Mustang Panda. Microsoft has not yet released a patch for this vulnerability, which is considered unusual, and while Microsoft Defender can detect and block related threats, organizations are advised to remain vigilant and implement protective measures against potential exploitation.

Winsage

March 20, 2025

Flaw in Windows shortcut abused by at least 11 threat groups

Attackers are using Windows shortcut (.lnk) files to execute malicious code, with at least 11 threat actor groups exploiting this method, including the North Korea-linked Evil Corp group, which is responsible for 45% of 1,000 observed incidents. The majority of these attacks (70%) are espionage-related, while 20% focus on stealing financial records. Microsoft has been informed of the issue but does not classify it as a CVE-eligible vulnerability and has not issued a patch, stating that the software functions as designed. Trend Micro is providing YARA rules and indicators of compromise to help detect potential attacks.