New Windows Zero-Day Exploited by 11 State-Backed Hacking Groups Since 2017
A newly revealed Windows vulnerability has been exploited by at least 11 state-sponsored hacking groups from North Korea, Iran, Russia, and China since 2017, according to security researchers at Trend Micro’s Zero Day Initiative (ZDI).
Despite the widespread exploitation, Microsoft decided in late September that the flaw “does not meet the bar for servicing,” choosing not to release a security patch.
Researchers Peter Girnus and Aliakbar Zahravi reported discovering nearly 1,000 Shell Link (.lnk) files exploiting this vulnerability, designated ZDI-CAN-25373. “It’s likely that the total number of attacks is significantly higher,” they noted. Although a proof-of-concept exploit was submitted to Microsoft through Trend Micro’s bug bounty program, the tech giant declined to address it with an update.
Microsoft has not assigned an official CVE-ID to the flaw, but Trend Micro is tracking it internally as ZDI-CAN-25373. The vulnerability allows attackers to execute arbitrary code on affected Windows systems.
ZDI-CAN-25373 has been used in attacks by multiple advanced persistent threat (APT) groups and cybercriminal organizations, including Evil Corp, APT43 (Kimsuky), Bitter, APT37, Mustang Panda, SideWinder, RedHotel, and Konni. Targets have spanned across North America, South America, Europe, East Asia, and Australia, with approximately 70% of attacks focused on espionage and information theft, and 20% aimed at financial gain.
How the Vulnerability Works
The flaw stems from a User Interface (UI) Misrepresentation of Critical Information (CWE-451), where Windows incorrectly displays shortcut (.lnk) files. Attackers exploit this by concealing malicious command-line arguments within these files, using padded whitespaces—such as hex codes for spaces, tabs, and line breaks—that are invisible in the Windows interface.
When users inspect these .lnk files, the malicious code remains hidden, making the shortcuts appear harmless. Exploitation typically requires user interaction, such as visiting a malicious website or opening a deceptive file.
“Carefully crafted data in an .lnk file can make hazardous content invisible to a user viewing it through the Windows interface,” Trend Micro explained. “This allows attackers to execute code under the current user’s permissions.”
This vulnerability is similar to CVE-2024-43461, which allowed attackers to disguise malicious HTA files as PDFs using encoded braille whitespace characters. That flaw, also discovered by Trend Micro’s Peter Girnus, was patched by Microsoft in September 2024.
