A newly disclosed zero-day vulnerability in Windows shortcut files (.lnk) has been exploited in-the-wild for several years by state-sponsored hacking groups. Identified as ZDI-CAN-25373, the flaw allows attackers to silently execute malicious commands using shortcut files—making it difficult to detect through traditional security tools.
Security researchers revealed that this vulnerability has been abused since at least 2017 by advanced persistent threat (APT) groups linked to 11 different countries.
Threat Details
The exploit revolves around manipulated .lnk
files, commonly used in Windows systems. Over 1,000 weaponized shortcut files have been uncovered globally. The attackers primarily use this method for cyber espionage and data theft.
Among the nations identified as origin points are:
Targeted Sectors (Top Attack Areas)
Sector | % of Attacks |
Government | 22.8% |
Private Sector | 14% |
Financial, Think Tanks, Telco, Military, Energy (each) | 8.77% |
Cryptocurrency | 5.26% |
Education, Healthcare, Media (each) | 3.51% |
Critical Infrastructure, Nuclear | 1.75% |
These figures show broad and strategic targeting, with a focus on sectors tied to national security, economic stability, and intellectual property.
Malware Families and Tools Used
Attackers leveraging ZDI-CAN-25373 deployed a wide range of malware, including:
These payloads enable persistent access, data theft, and in some cases, ransomware deployment.
How the Exploit Works
The attack method is stealthy and sophisticated:
Despite a submitted proof-of-concept (PoC), Microsoft declined to patch the vulnerability, stating it doesn't meet its remediation criteria. This leaves defenders to rely on alternative protection methods.
4. Recommended Mitigations and Workarounds
Since no official patch exists, organizations must act proactively. Recommended best practices include:
Conclusion
The exploitation of ZDI-CAN-25373 by state-backed actors underscores the growing sophistication of modern cyber threats. Without a patch from Microsoft, it's essential for organizations to take defensive measures, improve visibility, and adopt a proactive threat-hunting approach.
This vulnerability serves as a stark reminder that non-executable file types like .lnk files can pose serious threats—especially when leveraged by nation-state actors for espionage and data exfiltration.
Comments