LEMON BLOG

Zero-Day Windows Shortcut Exploit Used by State-Backed Hackers Since 2017

Wednesday, 02 April 2025

Cybersecurity

42 Hits

A newly disclosed zero-day vulnerability in Windows shortcut files (.lnk) has been exploited in-the-wild for several years by state-sponsored hacking groups. Identified as ZDI-CAN-25373, the flaw allows attackers to silently execute malicious commands using shortcut files—making it difficult to detect through traditional security tools.

Security researchers revealed that this vulnerability has been abused since at least 2017 by advanced persistent threat (APT) groups linked to 11 different countries.

Threat Details

The exploit revolves around manipulated .lnk files, commonly used in Windows systems. Over 1,000 weaponized shortcut files have been uncovered globally. The attackers primarily use this method for cyber espionage and data theft.

Among the nations identified as origin points are:

Targeted Sectors (Top Attack Areas)

Sector	% of Attacks
Government	22.8%
Private Sector	14%
Financial, Think Tanks, Telco, Military, Energy (each)	8.77%
Cryptocurrency	5.26%
Education, Healthcare, Media (each)	3.51%
Critical Infrastructure, Nuclear	1.75%

These figures show broad and strategic targeting, with a focus on sectors tied to national security, economic stability, and intellectual property.

Malware Families and Tools Used

Attackers leveraging ZDI-CAN-25373 deployed a wide range of malware, including:

Remote Access Trojans (RATs): Xeno RAT, Quasar RAT, Remcos, Warzone, PupyRAT

InfoStealers and Banking Trojans: Gozi, Racoon Stealer, Lumma, Snake Keylogger

Malware-as-a-Service (MaaS): 79 known samples tracked

Red Team Tools Used Maliciously: Cobalt Strike, Sliver

These payloads enable persistent access, data theft, and in some cases, ransomware deployment.

How the Exploit Works

The attack method is stealthy and sophisticated:

Malicious commands are embedded in .lnk files, often disguised as normal shortcuts.

Whitespace padding hides payloads in command-line arguments.

Windows' UI does not show these commands, making them invisible without forensic tools.

These .lnk files can masquerade as documents or software installers, aiding in phishing attacks.

The exploit bypasses common endpoint defenses, which typically focus on executable threats, not shortcuts.

Despite a submitted proof-of-concept (PoC), Microsoft declined to patch the vulnerability, stating it doesn't meet its remediation criteria. This leaves defenders to rely on alternative protection methods.

4. Recommended Mitigations and Workarounds

Since no official patch exists, organizations must act proactively. Recommended best practices include:

Restrict and Monitor .lnk File Usage: Block or control execution from unknown or external sources.

Use Endpoint Detection Tools: Focus on hidden command-line execution and shortcut behaviors.

Enhance Network Visibility: Log and investigate .lnk-related activity, especially from unfamiliar origins.

Keep Systems Updated: While no direct patch exists, applying the latest Windows updates can reduce overall attack surface.

Phishing Awareness Training: Educate users on the risks of opening unexpected attachments or clicking unknown links.

Use Forensic Tools to Inspect Shortcuts: Analyze metadata to uncover hidden commands.

Adopt Behavioral-Based Detection: Move beyond signature detection to spot anomalies in file execution.

Disable Unnecessary Script Execution: Limit PowerShell and other scripting environments often abused through .lnk exploits.

Conclusion

The exploitation of ZDI-CAN-25373 by state-backed actors underscores the growing sophistication of modern cyber threats. Without a patch from Microsoft, it's essential for organizations to take defensive measures, improve visibility, and adopt a proactive threat-hunting approach.

This vulnerability serves as a stark reminder that non-executable file types like .lnk files can pose serious threats—especially when leveraged by nation-state actors for espionage and data exfiltration.

How do you feel about this post?

Tags:

Comments

No comments made yet. Be the first to submit a comment

Blog Categories

Application Development

33 post(s)

Cybersecurity

25 post(s)

Designs & Artworks

18 post(s)

Games

52 post(s)

General Information

61 post(s)

Guitar Covers

23 post(s)

Mobile Development

19 post(s)

News

109 post(s)

Personal Blog

21 post(s)

Tech Gadgets

31 post(s)

Technical Solutions

17 post(s)

Web Development

30 post(s)

Explore all articles

Blog Subscribe

Random Articles

01 January 2025

New Year 2025

Personal Blog

The year 2025 ushers in a wave of hope, renewal, and excitement, as people around the world celebrate the dawn of a new chapter with fervor and optimism. Fireworks light up the mid...

223 hits

08 February 2025

LEMON Background Remover – The Free, Instant AI-Powered Background Eraser!

Designs & Artworks

Ever struggled with removing backgrounds from images? We've all been there—spending hours trying to cut out objects manually or dealing with complicated software like Photoshop. Bu...

198 hits

02 April 2025

Carousell Rolls Out Buyer Magnet Feature with No Upfront Cost

Web Development

Carousell, the popular secondhand marketplace, has launched a new promotional tool called Buyer Magnet—a feature designed to increase the visibility of listings without requiring u...

23 hits

07 January 2025

ChatGPT: Revolutionizing Conversations and Productivity

General Information

ChatGPT, developed by OpenAI, has quickly become one of the most influential AI models available today, bridging the gap between human-like conversation and advanced computational ...

169 hits

LEMON-WEB VIDEO CHANNELS

Step into a world where web design & development, gaming & retro gaming, and guitar covers & shredding collide! Whether you're looking for expert web development insights, nostalgic arcade action, or electrifying guitar solos, this is the place for you. Now also featuring content on TikTok, we’re bringing creativity, music, and tech straight to your screen. Subscribe and join the ride—because the future is bold, fun, and full of possibilities!

ABOUT LEMON

Experienced webmaster specializing in functional, visually appealing web design since 2008, with a strong focus on programming and innovation.

Learn more

LEMON BLOG

Zero-Day Windows Shortcut Exploit Used by State-Backed Hackers Since 2017

Related Posts

Massive Data Breach Reportedly Exposes Emails of 200 Million X Users

Microsoft’s New AI Agents Are Built to Boost Cybersecurity Teams

MAHB Cyberattack: Hackers Demand US$10 Million, Malaysia Refuses to Pay

Comments

Blog Categories

Blog Subscribe

Random Articles

LEMON-WEB VIDEO CHANNELS

ABOUT LEMON

QUICK ACCESS

SOCIAL MEDIA

CONTACT INFO