LEMON BLOG

Zero-Day Windows Shortcut Exploit Used by State-Backed Hackers Since 2017

Wednesday, 02 April 2025

Cybersecurity

278 Hits

A newly disclosed zero-day vulnerability in Windows shortcut files (.lnk) has been exploited in-the-wild for several years by state-sponsored hacking groups. Identified as ZDI-CAN-25373, the flaw allows attackers to silently execute malicious commands using shortcut files—making it difficult to detect through traditional security tools.

Security researchers revealed that this vulnerability has been abused since at least 2017 by advanced persistent threat (APT) groups linked to 11 different countries.

Threat Details

The exploit revolves around manipulated .lnk files, commonly used in Windows systems. Over 1,000 weaponized shortcut files have been uncovered globally. The attackers primarily use this method for cyber espionage and data theft.

Among the nations identified as origin points are:

Targeted Sectors (Top Attack Areas)

Sector	% of Attacks
Government	22.8%
Private Sector	14%
Financial, Think Tanks, Telco, Military, Energy (each)	8.77%
Cryptocurrency	5.26%
Education, Healthcare, Media (each)	3.51%
Critical Infrastructure, Nuclear	1.75%

These figures show broad and strategic targeting, with a focus on sectors tied to national security, economic stability, and intellectual property.

Malware Families and Tools Used

Attackers leveraging ZDI-CAN-25373 deployed a wide range of malware, including:

Remote Access Trojans (RATs): Xeno RAT, Quasar RAT, Remcos, Warzone, PupyRAT

InfoStealers and Banking Trojans: Gozi, Racoon Stealer, Lumma, Snake Keylogger

Malware-as-a-Service (MaaS): 79 known samples tracked

Red Team Tools Used Maliciously: Cobalt Strike, Sliver

These payloads enable persistent access, data theft, and in some cases, ransomware deployment.

How the Exploit Works

The attack method is stealthy and sophisticated:

Malicious commands are embedded in .lnk files, often disguised as normal shortcuts.

Whitespace padding hides payloads in command-line arguments.

Windows' UI does not show these commands, making them invisible without forensic tools.

These .lnk files can masquerade as documents or software installers, aiding in phishing attacks.

The exploit bypasses common endpoint defenses, which typically focus on executable threats, not shortcuts.

Despite a submitted proof-of-concept (PoC), Microsoft declined to patch the vulnerability, stating it doesn't meet its remediation criteria. This leaves defenders to rely on alternative protection methods.

4. Recommended Mitigations and Workarounds

Since no official patch exists, organizations must act proactively. Recommended best practices include:

Restrict and Monitor .lnk File Usage: Block or control execution from unknown or external sources.

Use Endpoint Detection Tools: Focus on hidden command-line execution and shortcut behaviors.

Enhance Network Visibility: Log and investigate .lnk-related activity, especially from unfamiliar origins.

Keep Systems Updated: While no direct patch exists, applying the latest Windows updates can reduce overall attack surface.

Phishing Awareness Training: Educate users on the risks of opening unexpected attachments or clicking unknown links.

Use Forensic Tools to Inspect Shortcuts: Analyze metadata to uncover hidden commands.

Adopt Behavioral-Based Detection: Move beyond signature detection to spot anomalies in file execution.

Disable Unnecessary Script Execution: Limit PowerShell and other scripting environments often abused through .lnk exploits.

Conclusion

The exploitation of ZDI-CAN-25373 by state-backed actors underscores the growing sophistication of modern cyber threats. Without a patch from Microsoft, it's essential for organizations to take defensive measures, improve visibility, and adopt a proactive threat-hunting approach.

This vulnerability serves as a stark reminder that non-executable file types like .lnk files can pose serious threats—especially when leveraged by nation-state actors for espionage and data exfiltration.

How do you feel about this post?

Tags:

Comments

No comments made yet. Be the first to submit a comment

Blog Categories

Application Development

34 post(s)

Cybersecurity

27 post(s)

Designs & Artworks

18 post(s)

Games

54 post(s)

General Information

65 post(s)

Guitar Covers

27 post(s)

Mobile Development

27 post(s)

News

119 post(s)

Personal Blog

23 post(s)

Tech Gadgets

33 post(s)

Technical Solutions

17 post(s)

Web Development

34 post(s)

Explore all articles

Blog Subscribe

Random Articles

11 February 2025

Disney’s Aladdin – Play the Classic SNES Game Online in Your Browser!

Games

The classic Disney magic of Aladdin is now just a click away! Thanks to modern web technology, the beloved Super Nintendo Entertainment System (SNES) version of Disney's Aladdin ha...

430 hits

17 February 2025

Duke Nukem 3D – Play the Classic FPS Online in Your Browser!

Games

Lock and load, because Duke Nukem 3D, the action-packed, one-liner-fueled first-person shooter, is now fully playable in your web browser! Thanks to modern web technology, this MS-...

448 hits

14 January 2025

WebFlow.Io - No Programming Needed. Just Design & Design!

Web Development

Recently, I came across Webflow, a website CMS that requires no programming knowledge, allowing users to leverage their design skills instead. During my exploration, I discovered a...

449 hits

LEMON-WEB VIDEO CHANNELS

Step into a world where web design & development, gaming & retro gaming, and guitar covers & shredding collide! Whether you're looking for expert web development insights, nostalgic arcade action, or electrifying guitar solos, this is the place for you. Now also featuring content on TikTok, we’re bringing creativity, music, and tech straight to your screen. Subscribe and join the ride—because the future is bold, fun, and full of possibilities!

ABOUT LEMON

Experienced webmaster specializing in functional, visually appealing web design since 2008, with a strong focus on programming and innovation.

Learn more

LEMON BLOG

Zero-Day Windows Shortcut Exploit Used by State-Backed Hackers Since 2017

Related Posts

Malaysia to Enhance Space-Based Connectivity as Strategic Pillar for National Growth

Australia's Largest Pension Funds Targeted in Widespread Cyberattacks

Estimating the Financial Impact of Data Breaches in Malaysia's Healthcare Sector

Comments

Blog Categories

Blog Subscribe

Random Articles

LEMON-WEB VIDEO CHANNELS

ABOUT LEMON

QUICK ACCESS

SOCIAL MEDIA

CONTACT INFO