Ddos 
A recently uncovered vulnerability, ZDI-CAN-25373, identified by the Trend Zero Day Initiative (ZDI), is at the center of sophisticated, state-sponsored cyber espionage operations globally. Leveraging crafted Windows shortcut (.lnk) files, attackers have successfully concealed malicious commands, significantly complicating threat detection and defense.
According to ZDI, attackers utilized nearly 1,000 malicious .lnk files designed to exploit ZDI-CAN-25373, enabling covert execution of commands on victim systems. “The exploitation of ZDI-CAN-25373 exposes organizations to significant risks of data theft and cyber espionage,” warns the report.
This zero-day has been actively exploited by state-sponsored groups from North Korea, Iran, Russia, and China since as early as 2017. Organizations across government, finance, telecommunications, military, and energy sectors in North America, Europe, Asia, South America, and Australia have been primary targets. Notably, nearly half of the state-sponsored threat actors exploiting this vulnerability originate from North Korea, highlighting extensive collaboration and tool-sharing within their cyber programs.
Trend ZDI researchers observed advanced evasion tactics, noting attackers crafted files with padded whitespace characters to hide malicious payloads. “The impact of this exploit is that the command line arguments that will be executed by the .lnk file are completely hidden from the user’s view,” the report emphasizes. Additionally, North Korean APT groups like Earth Manticore (APT37) and Earth Imp (Konni) have utilized exceptionally large .lnk files, reaching up to 70 MB, to further evade detection.
Despite the severity, Microsoft classified ZDI-CAN-25373 as low severity, declining immediate patching through their bug bounty program, a decision likely to impact future security responses.
The attacks primarily aim for espionage (70%) and financial gain (over 20%), targeting sectors such as government, financial institutions, telecommunications, military, and energy. ZDI strongly recommends organizations urgently scan systems for malicious .lnk files and implement comprehensive endpoint and network protection measures.
Related Posts:
- Researchers found that backdoors hijacks desktop shortcuts to infect user devices
- LNK Files and SSH Commands: The New Arsenal of Advanced Cyber Attacks
- CVE-2025-0411: 7-Zip Vulnerability Exploited in Attacks on Ukraine
- Lumma Stealer Malware Campaign Targets Educational Institutions with Deceptive PDF Lures
About The Author
