Almost a dozen state-sponsored threat groups from nations including China, Russia, Iran, and North Korea are currently leveraging a security vulnerability in Microsoft Windows to conduct espionage and gather sensitive information from a diverse range of targets globally. Since at least 2017, these malicious actors have specifically targeted government, military, and critical infrastructure organizations across the United States, Canada, Europe, Asia, and beyond. This exploitation hinges on a flaw that permits attackers to execute hidden malicious commands on the systems of their victims, as detailed by researchers from Trend Micro’s Zero Day Initiative (ZDI).
The vulnerability, identified by Trend Micro as ZDI-CAN-25373, pertains to how Windows handles the display of LNK or .lnk files—shortcuts that facilitate easier access to files, folders, or applications. ZDI researchers have uncovered nearly 1,000 malicious .lnk files, although they caution that the actual figure could be significantly higher. These files are often disguised as innocuous documents, enticing victims to execute them and unwittingly initiate the harmful commands.
‘Widespread Abuse’
In a recent report, ZDI researchers Peter Girnus and Aliakbar Zahravi noted, “We discovered the widespread abuse of this vulnerability by numerous threat actors and APT [advanced persistent threat] groups. These threats include a mix of state-sponsored as well as non-state-sponsored APT groups. Many of these groups demonstrated a high degree of sophistication in their attack chains and have a history of abusing zero-day vulnerabilities in the wild.”
In total, ZDI identified 11 state-sponsored groups exploiting this vulnerability, with approximately 70% of the campaigns primarily focused on espionage and information theft. An additional 20% have financial motives, although some APT groups may fund their espionage activities through financially driven attacks. A small fraction of the campaigns appear to be aimed at causing damage.
North Korea Setting the Pace
Notably, North Korea accounts for 45.5% of the state-sponsored APT groups exploiting ZDI-CAN-25373, with Iran and Russia each representing 18.2%, and China at 18.1%. The researchers pointed out that a significant majority of North Korea’s intrusion sets have targeted this vulnerability at various times, highlighting a trend of collaboration and shared techniques among different threat groups within the country’s cyber program. Among the identified state-sponsored groups are Kimsuky (also known as APT43 and Earth Kumiho), Konni (Earth Imp), and APT37 (ScarCruft, InkySquid, Earth Manticore) from North Korea, as well as Bitter (Earth Anansi), which has targeted victims in Pakistan. The notorious Russian cybercrime group Evil Corp also appears on the list of attackers.
Lot of Targets in a Lot of Countries
The targeted industries are extensive, encompassing government finance, think tanks, telecommunications, energy, and military and defense sectors. The United States has experienced the highest number of attacks, with 343 known incidents, followed by Canada with 39, Russia with 25, and South Korea with 23. Attackers have utilized the malicious .lnk files to deploy a variety of payloads, including malware-as-a-service (MaaS), Lumma (an information stealer), GuLoader, and Remcos remote access trojan (RAT).
Microsoft: No Patch Coming
Despite ZDI notifying Microsoft about the vulnerability, the company has indicated that it does not plan to issue a patch, categorizing the flaw as “low severity.” A Microsoft spokesperson stated that the company’s Defender security product can detect and block such threats, and that its Smart App Control will also prevent the execution of malicious files. Furthermore, attempting to open a .lnk file downloaded from the internet triggers a warning advising users against proceeding.
Thomas Richards, principal consultant and network and red team practice director at application security firm Black Duck, remarked on the unusual nature of Microsoft’s decision not to release a security patch for a vulnerability exploited by nation-state groups. “Actively exploited vulnerabilities are usually patched within a short period of time,” he noted, urging Microsoft to address the issue promptly to mitigate software risks and prevent further attacks on systems worldwide.
ZDI researchers have emphasized the ongoing threats posed by both state-sponsored and cybercriminal groups. Girnus and Zahravi anticipate that as geopolitical tensions rise, the sophistication of threat actors and their use of zero-day vulnerabilities will likely increase, as both nation-states and cybercriminals seek to gain an upper hand over their adversaries. They concluded that the growing prevalence of zero-day exploitation underscores the need for comprehensive security solutions to effectively protect critical assets and industries.
