Analysis Summary

At least 11 state-backed hacking groups from North Korea, Iran, Russia, and China have been exploiting a Windows zero-day vulnerability (ZDI-CAN-25373) since 2017 for cyber espionage and data theft. Despite its widespread use, Microsoft declined to release a security patch, stating that it "does not meet the bar for immediate servicing."

Security researchers found nearly 1,000 Shell Link (.lnk) samples exploiting the vulnerability, though actual exploitation attempts are likely much higher. The flaw allows attackers to execute arbitrary code on Windows systems via malicious .lnk files.

ZDI-CAN-25373 has been actively exploited by state-sponsored threat actors and cybercrime gangs, including Evil Corp, APT43 (Kimsuky), Bitter, APT37, Mustang Panda, SideWinder, RedHotel, and Konni. The attacks primarily target North America, South America, Europe, East Asia, and Australia, with 70% linked to espionage and 20% focused on financial gain. Malware such as Ursnif, Gh0st RAT, and Trickbot has been deployed using this vulnerability, with malware-as-a-service (MaaS) platforms further complicating the threat landscape.

The ZDI-CAN-25373 vulnerability is caused by a User Interface (UI) Misrepresentation of Critical Information (CWE-451) weakness. Attackers exploit how Windows displays shortcut (.lnk) files, hiding malicious command-line arguments using whitespace padding (e.g., Space, Horizontal Tab, Linefeed, Vertical Tab, Form Feed, Carriage Return). This prevents users from seeing malicious commands when inspecting the file, enabling stealthy code execution.

Exploiting this flaw requires user interaction, such as opening a malicious file or visiting a compromised webpage. This is similar to CVE-2024-43461, another Windows vulnerability patched in September 2024, which allowed threat actors to camouflage HTA files as PDFs using 26 encoded braille whitespace characters. The Void Banshee APT exploited CVE-2024-43461 in attacks targeting organizations across North America, Europe, and Southeast Asia.

After Trend Micro submitted a proof-of-concept exploit, Microsoft declined to patch ZDI-CAN-25373, stating that Microsoft Defender and Smart App Control provide sufficient protection by detecting and blocking malicious files from the Internet. However, the company has not ruled out addressing the flaw in a future feature release.

With active exploitation ongoing, security experts urge users to exercise caution when downloading files and rely on security warnings to mitigate the risk.

Impact

• Data Theft
• Command Espionage
• Remote Code Execution

Indicators of Compromise

MD5

• 18983de56bb363009528a125b8f4145f
• 36c57f247dcda3048ad2cec9ea80dcb0
• fae06cd491519b67a08739365bd40ff2
• c6e84e6af362cd9fc81eed2b2a09e1dd
• 9a2b0bfa79a6739c688731869a618a34
• fa5de35e4fe56cc28f278c5851d948ef
• a2cd56929c707867d43a829074d15615
• 589bd6301ef5bd8d1fff5946be51d495
• 0d4dd1ae8a84544ce76009c4ddc94c99
• c402f9d8ae02450613e871584047ba2c
• b377d9895641a119541add113ccfabc1
• 128048b84ec66dd6d0f430b2acdf1441
• 9ed76d26a0b56d4b808a65af7fbe4e03
• 3d529f6f077eae5c7c2830729f20689f
• 00d036a22c22fdce3d8de49a2b080f47
• 4ab1a77f0480a1949898a4879e9f2222
• d8c1609d82a74843dc795128121c190c
• 016e4f308b261e4025cb8452b28ac53d
• e5efca663816c7f9e7b24692e8d90be7
• fb127a60b29af914eebdf87121320224
• a53115a21b25872d828a288b786fed6f
• cb36db26550d804add58f92fe636d120
• 40e14abd06af70230849704760272cea
• 501e179f145488a3a149a95fa9e1a261
• 2bdd91c8b815db57708c288d0b5b0934
• 35afe7241fdda7d5ce66e9354c667b38
• bb7ef882258704c7cce228d248d9c02d
• fd1dcb49207efcbb0dbdb471a85fbe55
• a1df43d5259798e8a3afc3e7b3c2d9f8
• 595e44fa3ac47d9700e713c52a319a1d

SHA-256

• 8f54dfa771cd17aab3b5d53c82f92e35a30190b44a64ac86b5739758a1640ee7
• 1f26910512251dc4bdc24b080f7c627d0bb4b4de5acd4b7ad4ab024ae28cd115
• 65209053f042e428b64f79ea8f570528beaa537038aa3aa50a0db6846ba8d2ec
• 09136a336afe478ac8753a6c37cfc2909f616d34055a2e5c837adc754ec53cd5
• b5cc34a94923d976a5fde8a8b4d821a7b7250d17811336771da639f0c4d47612
• 23ac6f34aff45a4ca9049d5574c80f0a8c87d63e515703b5e8f0b7efa1465fae
• 088e7051510eb7c5da9f5eda6d02d67f1fee45b92545d0f0599268a7664766e8
• 3894eeb299d18b901d84751b732ef74787473f5f5068f33e134f1797df24a101
• 402b4e9274c095980f18e11323f38bdff977970333f24a0959782b08040b9301
• e62c3135fd708ee420cf767fa1654d8d66ff01f5160ddadf633e3cc5eaeaa926
• 60399af128fe7c036a4e6a6512257d13785dd1189db1adef9a3efb8aa32cbaab
• c05c31c6dda6b60c17d713abade20c70637e8ee2dc7d9ab4997632bdb08e065c
• e2683abe36ffc49d29302a0c9ef05a485edfd3d0dcf5379a7138557979957157
• 5be9aba659baa089bcd253905deaf3f084f2b8f03701e90f2a46b36781165925
• 6b4adbe48aa470ad880a8ea218231557bd0e7fe86663a38f57c7e036024e8ddc
• 41e1e2a4bab7d5fff688b2297e06e3f59d2becc93d66fb591a9cc3b8cefac6e3
• 536cd589cd685806b4348b9efa06843a90decae9f4135d1b11d8e74c7911f37d
• f1ecc577c84a0c424aab7454f449bd058203f127c08b9b34c3db78e20152db0a
• a66861fb3ee9e3d5208a28726c8fe112ff4b42b5d495adf1e1e75a9ea85e3ff9
• 904db68a915b4bbd0b4b2d665bb1e2c51fa1b71b9c44ce45ccd4b4664f2bfd8e
• d5c0fd26ba1504bde3222202f7a257efa9cdbc6949718495a7c33cd6510fce2a
• 0b705938e0063e73e03645e0c7a00f7c8d8533f1912eab5bf9ad7bc44d2cf9c3
• 9c1acde0627da8b518b0522d6fed15cecf35b20ed8920628e9f580cfc3f450ed
• d551600a83dcbc565c4a0c0b1c646dce0a68f142e751f5e4c7f548ddf32ccce4
• cfd0d56ca3d6c9ca232252570522c4b904be2807c461276979b1f8c551ccd4aa
• 0cc18895123f2fe93490ecba6c2ba52969e9fa48004983e224f458f4e14ecd5d
• d754dec71086a2062aec873e5725d3a29ae8fb7e11d13e6d9887a1b06aa3ce1d
• 6d33b1d78a0e9209d52b76545d4dbda3891a304f40e7debfe071506fc1ffe9e2
• ace373be0ca31901629f51489be34ff2f7a827b94797cdb560208390464530b5
• fa02ca808a91205384a309ce7c7210d502bf6b2a98f692bdd334ad0a7c5eab37

SHA-1

• 2b75d485f28365a6f669046637aedaaa47341f92
• 7976c50fc68c29dcc7ebc923aefdef731e322b38
• cbf4671ea72268a9bd618ab3f753442c2fc38a2a
• 6de424cae88f72702d357c7601d4278560ee771f
• 531e6383b695def24d76102a96bedcee183dd732
• 0b97d87a4a82b00d924ce235772711eee5b652f1
• 734ad0c7aeef23747aaca50126bde60ad8c59183
• f08b0b635071eb3f69e7c01199aa8858ce49c811
• 0f46c7d7f226a85d918221964722db4900cd91b1
• 4e2eaf83c7d75f76c95ca091cab98a09bae1a310
• 1f53a175329ee3a2689bd60c1f1a7dcf12ca8a7f
• 410d41db609b6adf477b4b96b2c653b18cb83f20
• eb5cb24f7652dce339b19e2e29f9c70aac606efb
• 057a4807cf66bfa95bd227846823b546ed94ee2a
• 30b01428fc92f605af01b294bce3ffe9e17e806a
• bb01c3b7fa1913f5d65229e3d8295ccaf2d6cc5d
• 1ad071c3a13c2bceabf0f35c5528854c5c87d0e0
• 3cce151c2ef59ba780bb2dd438237920c75a7f89
• 23b6d6ac67fdc1d3b36d2bae19585c920866dc06
• 39e66bbb5a31314d4ffabfccbf98f6b68987e3d1
• 468c6dce270310045cf70c57c6cddd82d3bffa38
• dc0625ec8ef237b3797ce2d2b4f000c743d9f7b1
• 76cc7b3c94e8cc83999e361cafeea060bff115ba
• eb869df9a4d3c689d30afaa95f32a2b8b94c3506
• 92335b522bf02dc047e5a38faf3a85bf6f0ac204
• ef32de9685eaa1f7137b0e74490d46740cf5e292
• b433e4077183423b336c8de44d26d2c0f42ae93d
• 5a86dc145c1597b5306a55a837d84e7dd5add898
• ed2daa7e075844e62ef291391863b610c14d64b3
• becc93d0f6595ec013c14075ba198a76d2101c2e

Remediation

• Regularly scan systems for malicious .lnk files and remove any suspicious ones.
• Update Windows and security software to the latest versions to minimize risks.
• Implement endpoint protection solutions to detect and block malicious activities.
• Restrict the execution of .lnk files from untrusted sources or external devices.
• Monitor network activity for unusual command executions related to shortcut files.
• Apply application control policies to limit the execution of unauthorized scripts.
• Use advanced threat detection tools to identify hidden malware within .lnk files.
• Segment networks to reduce the impact of potential intrusions.
• Regularly back up important data to mitigate risks from cyberattacks.