A significant vulnerability within the Windows operating system has come to light, enabling advanced persistent threat (APT) actors to orchestrate covert malware deployment campaigns targeting diplomatic and government entities globally. Identified as ZDI-CAN-25373 and disclosed in March 2025, this flaw allows malicious actors to cleverly disguise harmful commands within Windows LNK files by manipulating whitespace padding in the COMMANDLINEARGUMENTS structure.
This innovative technique of UI misrepresentation has quickly been adopted by various nation-state espionage groups, including those from North Korea, China, Russia, and Iran, primarily for data theft and intelligence-gathering operations.
The vulnerability takes advantage of how Windows handles shortcut files, inserting excessive whitespace characters into the command-line argument structure. This effectively conceals malicious PowerShell commands from user scrutiny while retaining full execution capability. When victims inadvertently open what seems to be a legitimate document shortcut—often themed around diplomatic meetings, conference agendas, or policy documents—the concealed commands execute automatically in the background.
Such methods are particularly effective in spearphishing campaigns, where threat actors craft LNK files with names like “Agenda_Meeting 26 Sep Brussels.lnk,” leveraging authentic details of diplomatic events to bypass user suspicion.
Technical Exploitation Mechanics and Attack Chain Deployment
The exploitation methodology showcases a sophisticated multi-stage execution designed to elude endpoint detection systems. Upon execution, weaponized LNK files initiate obfuscated PowerShell commands that decode embedded TAR archives stored within the shortcut itself. These archives contain three critical components deployed through DLL side-loading:
- A legitimate digitally signed Canon printer assistant utility (cnmpaui.exe)
- A malicious loader DLL (cnmpaui.dll)
- An RC4-encrypted payload file (cnmplog.dat) containing remote access trojan malware
The legitimate Canon executable, signed with a valid certificate from Symantec Class 3 SHA256 Code Signing CA, provides a trusted process context for the attack chain. Although the certificate expired in April 2018, Windows continues to trust binaries with valid timestamps that prove they were signed during the certificate’s validity period.
Upon launching the signed executable, Windows’ DLL search order behavior causes it to load the malicious cnmpaui.dll from the current directory before checking system directories. This malicious DLL then decrypts the payload using a hardcoded 16-byte RC4 key and loads the final-stage malware directly into the legitimate process’s address space, enabling execution within a trusted context that circumvents reputation-based security controls.
The rapid weaponization of this vulnerability poses a challenge for security professionals. Within six months of the public disclosure of ZDI-CAN-25373, multiple advanced persistent threat groups had integrated its exploitation into their operational tradecraft. For instance, the Chinese-affiliated threat actor UNC6384 deployed this technique against Hungarian and Belgian diplomatic entities in September and October 2025, while similar campaigns targeted Serbian government agencies and Italian diplomatic organizations using the same exploitation methodologies.
These threat actors maintain command-and-control infrastructure across various domains, including racineupci[.]org, dorareco[.]net, and naturadeco[.]net, all configured to communicate over port 443, blending seamlessly with legitimate encrypted web traffic.
As of October 2025, Microsoft has not released an official patch for ZDI-CAN-25373. Organizations are urged to implement immediate defensive measures, including disabling automatic LNK file resolution in Windows Explorer, blocking identified command-and-control infrastructure at network perimeters, and conducting endpoint searches for Canon printer utilities executing from non-standard directories, such as user AppData folders.
The ongoing exploitation of this vulnerability across multiple nation-state campaigns highlights the critical need for proactive threat hunting and enhanced monitoring of Windows shortcut file execution, particularly in the diplomatic and government sectors, where targeted intelligence collection operations are most concentrated.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates
