Since 2017, at least 11 state-sponsored threat groups have been leveraging a Microsoft zero-day vulnerability that exploits Windows shortcut files, enabling them to engage in data theft and cyber espionage across various sectors. This alarming trend has raised significant concerns among organizations worldwide.
Researchers from Trend Micro’s Trend Zero Day Initiative (ZDI) have uncovered nearly 1,000 malicious .lnk files that take advantage of this flaw, designated as ZDI-CAN-25373. This vulnerability allows attackers to execute hidden malicious commands on a victim’s device by utilizing specially crafted shortcut files.
According to a recent blog post by Trend Micro, “By exploiting this vulnerability, an attacker can prepare a malicious .lnk file for delivery to a victim. Upon examining the file using the Windows-provided user interface, the victim will not be able to tell that the file contains any malicious content.”
The malicious files associated with these attacks often carry various payloads, including the Lumma infostealer and the Remcos remote access Trojan (RAT), which significantly increase the risks of data breaches and cyber espionage for affected organizations. Notably, state-sponsored actors from North Korea, Iran, Russia, and China, along with other non-state-affiliated groups, have been implicated in these attacks, targeting entities in government, finance, telecommunications, military, and energy sectors across North America, Europe, Asia, South America, and Australia.
North Korean operatives account for more than 45% of the attacks, while Iran, Russia, and China contribute approximately 18% each. Among the identified perpetrators are notorious advanced persistent threat (APT) groups such as Evil Corp, Kimsuky, Bitter, and Mustang Panda.
Despite the ongoing exploitation of this vulnerability, Microsoft has yet to release a patch. Trend Micro has submitted a proof-of-concept exploit through its bug bounty program but has not received a definitive timeline for resolution. A Microsoft spokesperson stated that the company does not consider the flaw severe enough for immediate servicing but may address it in a future feature release.
In the interim, Microsoft Defender is capable of detecting and blocking the associated threat activities, while the Windows Smart App Control feature prevents malicious files from being downloaded from the internet. Additionally, Windows identifies shortcut (.lnk) files as potentially dangerous, automatically alerting users when they attempt to download such files.
Patch delay concerns
The prolonged absence of a patch for an actively exploited flaw is considered “unusual,” as vulnerabilities of this nature are typically addressed promptly, according to Thomas Richards, a principal consultant and red team practice director at security firm Black Duck. While there may be legitimate reasons for delaying a patch, this decision can be frustrating for organizations that lack clear guidance on preparing for potential exploitation and developing mitigation strategies, as noted by Evan Dornbush, a former computer network operator for the National Security Agency (NSA).
Mali Gorantla, chief scientist and co-founder of AppSOC, emphasized that prioritizing patches can be challenging, but in this case, “clearly Microsoft got this one wrong.” To safeguard against this vulnerability, organizations are advised to proactively scan for exploits, remain vigilant against suspicious .lnk files, and implement comprehensive endpoint and network protection measures to detect and respond to potential threats.
