State-Sponsored Hackers Exploit Windows Zero-Day Vulnerability for Cyber Espionage

Unpatched Windows Flaw Targeted by Threat Actors from China, Iran, North Korea, and Russia

A critical unpatched vulnerability in Microsoft Windows has been actively exploited by 11 state-sponsored hacking groups from China, Iran, North Korea, and Russia since at least 2017, enabling cyber espionage, data theft, and financial crimes.

The flaw, identified as ZDI-CAN-25373 by Trend Micro's Zero Day Initiative (ZDI), allows attackers to execute hidden malicious commands on compromised systems through specially crafted Windows Shortcut (.LNK) or Shell Link files.

How the Exploit Works

According to security researchers Peter Girnus and Aliakbar Zahravi, the attackers leverage hidden command-line arguments within .LNK files to conceal malicious payloads and evade detection. The technique utilizes whitespace characters such as:
???? Space (0x20)
???? Horizontal Tab (0x09)
???? Line Feed (0x0A)
???? Vertical Tab (0x0B)
???? Form Feed (0x0C)
???? Carriage Return (0x0D)

This manipulation prevents security tools from properly detecting the malicious commands embedded within .LNK files.

Global Targets and APT Groups Involved

ZDI has identified nearly 1,000 malicious .LNK file samples exploiting this vulnerability, with many linked to well-known Advanced Persistent Threat (APT) groups, including:
✅ Evil Corp (Water Asena) – A Russian cybercrime group.
✅ Kimsuky (Earth Kumiho) – A North Korean threat actor.
✅ Konni (Earth Imp) – A North Korean cyber-espionage group.
✅ Bitter (Earth Anansi) – A South Asian APT group.
✅ ScarCruft (Earth Manticore) – Another North Korean-linked threat actor.

Notably, nearly half of the threat actors exploiting this flaw originate from North Korea, suggesting potential collaboration between different Pyongyang-affiliated cyber units.

Primary targets of these attacks include:
???? Government agencies
???? Private corporations
???? Financial institutions
???? Think tanks
???? Telecommunications providers
???? Military and defense organizations

Victims have been detected across multiple countries, including the United States, Canada, Russia, South Korea, Vietnam, and Brazil.

Malware Used in Attacks

The .LNK files serve as a delivery mechanism for various malware families, including:
???? Lumma Stealer – Information-stealing malware.
???? GuLoader – A downloader for remote payload execution.
???? Remcos RAT – A remote access trojan for persistent system control.
???? Raspberry Robin – Used by Evil Corp for further payload deployment.

Microsoft’s Response

Despite the risks posed by ZDI-CAN-25373, Microsoft has categorized the issue as low severity and has no immediate plans to release a patch.

According to Microsoft:
????️ Defender already detects and blocks threats exploiting this vulnerability.
????️ Smart App Control provides additional protection by preventing malicious files from executing.
????️ Outlook, Word, Excel, PowerPoint, and OneNote already block .LNK files downloaded from the web.

While Microsoft acknowledges the security risk, it considers the attack limited in practical use and may address the issue in a future Windows update.

Conclusion

The continued exploitation of an unpatched Windows zero-day by state-sponsored hacking groups underscores the importance of proactive security measures. Organizations are advised to:
✔ Block .LNK file execution from untrusted sources.
✔ Deploy endpoint security solutions with advanced threat detection.
✔ Monitor systems for suspicious shortcut files.
✔ Keep software and security tools updated.

As cyber espionage campaigns evolve, attackers will continue to exploit unpatched vulnerabilities, making robust cybersecurity defenses essential for protecting sensitive data.