Full Report
Trend Micro researchers discovered and reported the eight-year-old defect to Microsoft six months ago. The company hasn’t made any commitments to patch or remediate the issue. The post Nation-state groups hit hundreds of organizations with Microsoft Windows zero-day appeared first on CyberScoop.
Analysis Summary
# Threat Actor: Multiple Nation-State and Cybercrime Groups exploiting ZDI-CAN-25373
## Attribution & Identity
The vulnerability (ZDI-CAN-25373) is being actively exploited by at least six nation-states. Specific threat actors/groups attributed include:
* **North Korean groups:** APT43 and APT37 (most active, nearly half of nation-state attacks).
* **Russian-based group:** Evil Corp (cybercrime group).
* **Suspected South Asian espionage group:** Bitter.
* **Other involved nation-states:** Iran, Russia, China, India, and Pakistan.
* **Other:** Konni malware operators, and general financially motivated cybercriminals.
## Activity Summary
Threat actors have been exploiting the zero-day vulnerability in Windows shortcut (.lnk) files since at least 2017. The primary objectives observed are espionage, data theft, and cryptocurrency theft. The groups using this exploit are highly diverse, suggesting widespread knowledge of the flaw. Thousands of devices across at least 300 different organizations have been infected. Attacks linked to North Korean groups are heavily financially motivated, focusing on cryptocurrency. Attacks against governments are primarily for espionage and data theft, occurring at more than twice the rate of financially motivated attacks. Footholds gained from this years-long campaign are believed to persist in many compromised systems globally.
## Tactics, Techniques & Procedures
- **Vulnerability Exploitation:** Leveraging a zero-day vulnerability in how Windows displays `.lnk` (shortcut) files (ZDI-CAN-25373).
- **LNK File Masquerading:** Attackers make shortcut files appear as a different file type to trick victims into execution.
- **Hidden Command Execution:** Exploiting the vulnerability allows attackers to execute hidden malicious commands embedded within the shortcut file structure.
- **Information Hiding:** Attackers hide command line arguments using "whitespace padding" that Windows does not display in the user interface for the file path.
- **Delivery Mechanism:** Delivery of malware payloads via these crafted `.lnk` files.
- **Objective-Specific Targeting:** Espionage/data theft (governments) vs. Financial gain/crypto theft (financially motivated groups).
## Targeting
- **Sectors:** Governments, think tanks, finance, cryptocurrency, telecom, military, and energy sectors.
- **Geography:** Global spread, with persistent footholds feared globally.
- **Victims:** At least 300 different organizations affected.
## Tools & Infrastructure
- **Malware families used:** Konni malware mentioned in relation to attributed exploits.
- **Infrastructure (C2, domains, IPs):** No specific C2 domains, IPs, or associated CVEs were listed in the provided text, only the Trend Micro tracking ID for the vulnerability: ZDI-CAN-25373.
## Implications
The long history (since 2017) and wide diversity of actors using this single zero-day flaw indicate a highly shared and persistent risk environment. Microsoft's decision not to immediately patch this "user interface issue" means that organizations globally remain vulnerable to sophisticated attacks that bypass normal file type warnings. The persistence of these exploits suggests significant ongoing compromise across critical infrastructure sectors.
## Mitigations
- Exercise extreme caution when downloading files from unknown sources, especially executable files or shortcuts presented as other file types.
- Organizations should implement enhanced security policies recognizing that `.lnk` files present a viable execution vector, particularly when displayed incorrectly or originating externally.
- Defenders should monitor for signs of compromise related to the known persistence gained from this years-long campaign.