A newly discovered Windows zero-day vulnerability, ZDI-CAN-25373, has been actively exploited by nation-state actors from North Korea, Iran, Russia, and China for at least eight years. This untracked flaw allows attackers to execute hidden malicious commands through .LNK (shortcut) files, making it a dangerous tool for cyber espionage and data theft.
Despite its wide-scale exploitation, Microsoft has declined to release a patch, stating that it does not meet their threshold for immediate servicing. This means organizations worldwide remain exposed, with attackers leveraging the flaw in high-profile cyber operations.
Technical Details
ZDI-CAN-25373 is a User Interface (UI) Misrepresentation of Critical Information (CWE-451) vulnerability in Windows Shortcut (.LNK) files.
The flaw allows malicious command-line arguments to be hidden within .LNK files using padded whitespace characters, preventing users and security tools from detecting the hidden commands.
How Attackers Exploit This Flaw
Threat actors craft a malicious .LNK file containing hidden command-line arguments.
A victim opens the shortcut, unknowingly executing hidden cmd.exe or PowerShell commands.
Malware is deployed or system access is gained, enabling data theft, credential harvesting, or further exploitation.
This stealthy execution method makes detection difficult, as no visible command-line arguments appear in Windows’ UI.
Malware Delivered via This Exploit
ZDI-CAN-25373 has been used to distribute various malware strains, including:
- Ursnif – Banking Trojan for credential theft
- Gh0st RAT – Remote access Trojan used for espionage
- Trickbot – Modular malware used by ransomware gangs
- Raspberry Robin – Malware used by Evil Corp for ransomware deployment
Threat Actors Behind the Exploitation
At least 11 state-sponsored APT (Advanced Persistent Threat) groups have been exploiting ZDI-CAN-25373. Many of these groups have previously exploited zero-day vulnerabilities in highly sophisticated operations.
Confirmed groups using this exploit:
| Country | APT Groups | Tactics Used |
| North Korea | APT37 (ScarCruft), APT43 (Kimsuky), Konni | Espionage, credential theft, malware distribution |
| China | Mustang Panda, RedHotel | Data exfiltration, lateral movement, persistence |
| Iran | Bitter, SideWinder | Cyber espionage, nation-state surveillance |
| Russia | Evil Corp | Financial fraud, ransomware deployment |
Targeted Sectors and Countries
State-sponsored hacking groups from North Korea, China, Iran, and Russia have been actively exploiting ZDI-CAN-25373 since at least 2017. Their operations primarily target government agencies, financial institutions, telecommunications, and critical infrastructure across North America, Europe, and Asia.
Impact
ZDI-CAN-25373 poses a significant security risk because Microsoft has declined to issue a patch, leaving organizations permanently exposed to attacks that leverage this vulnerability. The fact that multiple nation-state actors have been leveraging this exploit for nearly a decade underscores its effectiveness in covert intelligence gathering and cyber warfare operations.
Beyond espionage, this vulnerability has also been weaponized for financially motivated attacks. Threat actors are using it to deploy a variety of high-impact malware payloads, including Ursnif (banking Trojan), Gh0st RAT (remote access tool), Trickbot (modular malware), and Raspberry Robin (used by ransomware operators).
These infections enable attackers to steal sensitive information, establish persistent access to compromised systems, and, in some cases, deploy ransomware for financial extortion.
Mitigation
Without a security patch, organizations must take proactive measures to minimize exposure to ZDI-CAN-25373. This includes:
- Restrict Execution of Untrusted .LNK Files: Configure Group Policy or Windows Defender Application Control (WDAC) to prevent the execution of .LNK files originating from external or untrusted locations, such as email attachments, USB drives, and network shares.
- Monitor and Detect Suspicious Activity: Use Endpoint Detection and Response (EDR) solutions to flag unusual PowerShell or cmd.exe executions initiated by .LNK files. Implement Windows Event Logging and Sysmon to track hidden command-line arguments within shortcut files.
- Limit Command-Line Execution: Enforce security controls using AppLocker or Windows Defender Exploit Guard to prevent unauthorized scripts and command-line executions. Restrict PowerShell usage to admin-approved scripts only.
- Strengthen Email and Network Security: Block .LNK attachments in emails using email security gateways. Deploy Intrusion Detection/Prevention Systems (IDS/IPS) to identify network traffic anomalies associated with malicious shortcut files.
- Increase User Awareness: Educate employees about the risks of opening unknown .LNK files. Implement security policies that warn users against downloading or executing shortcuts from untrusted sources.
