Full Report
Trend Micro researchers discovered and reported the eight-year-old defect to Microsoft six months ago. The company hasn’t made any commitments to patch or remediate the issue. The post Nation-state groups hit hundreds of organizations with Microsoft Windows zero-day appeared first on CyberScoop.
Analysis Summary
# Threat Actor: Multiple Nation-State and Financially Motivated Groups Exploiting ZDI-CAN-25373
## Attribution & Identity
The vulnerability (ZDI-CAN-25373) is being actively exploited by at least six different nation-states. Key attributed actors include:
* **North Korean Groups:** Specifically named are **APT43** and **APT37**.
* **Russian-based Group:** **Evil Corp** (linked to cybercrime exploiting this bug).
* **Suspected South Asian Group:** **Bitter**.
* **Other Nation-States:** Groups working on behalf of **Iran**, **China**, **India**, and **Pakistan**.
* **Other:** Groups associated with the **Konni malware**.
* **General:** Financially motivated cybercriminals.
## Activity Summary
Threat actors have been actively exploiting the Windows shortcut (.lnk file) zero-day vulnerability (ZDI-CAN-25373) since at least **2017**. The exploitation campaign is ongoing, with Trend Micro observing new, live samples daily, primarily from North Korean actors. Attackers use this vulnerability to propagate malware, leading to espionage, data theft, and cryptocurrency theft. Researchers estimate that the actual number of attacks is two to three times higher than what has been observed. Footholds gained during this multi-year campaign are likely still active on many systems globally.
## Tactics, Techniques & Procedures
* **Initial Access/Exploitation:** Exploitation of a zero-day vulnerability in Microsoft Windows related to how shortcut (.lnk) files are displayed.
* **Technique:** Attackers disguise .lnk files to look like another file type, tricking users into executing hidden malicious commands.
* **Mechanism:** Hiding command line arguments within malicious whitespace padding that Windows fails to display in the user interface space reserved for file information.
* **Persistence/Impact:** Delivery of embedded executable code/malware payloads.
* **MITRE ATT&CK IDs:** Not explicitly provided in the text.
## Targeting
* **Sectors:** Governments (primary target for espionage), think tanks, finance, cryptocurrency, telecom, military, and energy sectors.
* **Geography:** Global; attacks spread across the world. India and Pakistan groups are noted as using the exploit "essentially against each other."
* **Victims:** At least 300 different organizations confirmed to be affected, with thousands of devices infected.
## Tools & Infrastructure
* **Malware Families Used:** **Konni malware** is mentioned in connection with exploitation activity.
* **Infrastructure (C2, domains, IPs):** No specific URLs or IPs were provided in the text.
* **Vulnerability ID:** ZDI-CAN-25373
## Implications
The long-term, widespread exploitation of this vulnerability by multiple sophisticated state-sponsored actors (especially North Korea targeting finance/crypto) implies significant, persistent data breaches and financial loss globally. The willingness of so many distinct groups to use the same bug suggests the exploit mechanism is highly effective. The lack of remediation from Microsoft leaves a long-standing security gap that threat groups are actively leveraging for strategic espionage and financial gain.
## Mitigations
* Exercise caution when downloading files from unknown sources.
* Heed security warnings regarding potentially harmful files (especially shortcut files).
* Defenders should implement additional protective measures against code execution via manipulated shortcut file appearances, given Microsoft's decision not to provide an immediate patch.