shortcut files Archives

Winsage

March 22, 2025

Windows Shortcut Zero-Day Under Active Attack

A zero-day vulnerability in Windows shortcut (.lnk) files has been exploited by state-sponsored hacking groups since 2017, allowing attackers to execute arbitrary code on compromised systems. Microsoft has classified this vulnerability as “not meeting the bar servicing,” meaning no security updates will be issued. Trend Micro tracks it as ZDI-CAN-25373 and has linked it to cyber-espionage campaigns involving 11 nation-state actors from countries like North Korea, Iran, Russia, and China. Nearly 1,000 malicious .lnk samples exploiting this flaw have been identified, with many more potentially undetected. Attackers often use phishing emails to deliver these malicious files, which can download additional malware, granting full control over the compromised machine. Organizations are advised to scan their systems and implement security measures against this vulnerability.

Winsage

March 21, 2025

Nation-state groups hit hundreds of organizations with Microsoft Windows zero-day

Trend Micro has identified a zero-day vulnerability in Microsoft Windows, tracked as ZDI-CAN-25373, which allows attackers to execute hidden malicious commands through .lnk files. This vulnerability has been exploited since 2017, primarily by state-sponsored groups, affecting at least 300 organizations and thousands of devices. North Korean groups APT43 and APT37 are mainly responsible for these exploits, with nearly half of the attacks linked to them. Other state-backed groups from Iran, Russia, and China account for about 20% of the attacks. Microsoft has advised users to be cautious with files from unverified sources but does not classify the issue as severe enough for immediate action. Trend Micro's research shows that attackers disguise malicious .lnk files as different file types, using hidden command line arguments. Microsoft acknowledges the research but downplays the implications, while experts suggest that addressing the vulnerability may require significant changes to .lnk file functionality.

Winsage

March 20, 2025

11 nation-state groups exploit unpatched Microsoft zero-day

Since 2017, at least 11 state-sponsored threat groups have exploited a Microsoft zero-day vulnerability in Windows shortcut files for data theft and cyber espionage. Researchers from Trend Micro's Trend Zero Day Initiative have identified nearly 1,000 malicious .lnk files utilizing this flaw, designated as ZDI-CAN-25373, which allows attackers to execute hidden commands on victims' devices. The attacks involve various payloads, including the Lumma infostealer and Remcos remote access Trojan, with North Korean operatives responsible for over 45% of the incidents, while Iran, Russia, and China account for approximately 18% each. Notable advanced persistent threat groups involved include Evil Corp, Kimsuky, Bitter, and Mustang Panda. Microsoft has not yet released a patch for this vulnerability, which is considered unusual, and while Microsoft Defender can detect and block related threats, organizations are advised to remain vigilant and implement protective measures against potential exploitation.

Winsage

March 20, 2025

Flaw in Windows shortcut abused by at least 11 threat groups

Attackers are using Windows shortcut (.lnk) files to execute malicious code, with at least 11 threat actor groups exploiting this method, including the North Korea-linked Evil Corp group, which is responsible for 45% of 1,000 observed incidents. The majority of these attacks (70%) are espionage-related, while 20% focus on stealing financial records. Microsoft has been informed of the issue but does not classify it as a CVE-eligible vulnerability and has not issued a patch, stating that the software functions as designed. Trend Micro is providing YARA rules and indicators of compromise to help detect potential attacks.