At least 11 state-sponsored hacking groups from North Korea, Iran, Russia, and China have been actively exploiting a newly uncovered Windows zero-day vulnerability in cyber espionage and data theft attacks since 2017. Despite clear evidence of exploitation, Microsoft has declined to release a security update to address the issue.
Microsoft Declines to Patch ZDI-CAN-25373
Security researchers Peter Girnus and Aliakbar Zahravi from Trend Micro’s Zero Day Initiative (shortly known as ZDI) revealed that nearly 1,000 Shell Link (.lnk) samples exploiting this vulnerability, tracked as ZDI-CAN-25373, have been identified. The estimate is that the actual number of exploitation attempts is much higher.
The researchers submitted a proof-of-concept (PoC) exploit through Trend Micro ZDI’s bug bounty program. However, Microsoft classified the vulnerability as “not meeting the bar for servicing” and declined to patch it.
Global Espionage and Data Theft at Scale
Threat actors have leveraged ZDI-CAN-25373 in widespread cyberattacks across North America, South America, Europe, East Asia, and Australia. The majority of these attacks, around 70%, have been linked to espionage and data theft, while financial motives accounted for approximately 20%.
Among the hacking groups exploiting this vulnerability are well-known state-sponsored actors such as Evil Corp, APT43 (Kimsuky), Bitter, APT37, Mustang Panda, SideWinder, RedHotel, and Konni. These APT cybercriminals have deployed diverse malware payloads, including Ursnif, Gh0st RAT, and Trickbot, making use of malware-as-a-service platforms to further expand their reach.
How Does the Vulnerability Work?
The Windows zero-day vulnerability is caused by a User Interface (UI) Misrepresentation of Critical Information weakness. It exploits how Windows handles .lnk
shortcut files, allowing attackers to execute arbitrary code on targeted devices while evading detection.
Attackers manipulate .lnk
files by inserting hidden command-line arguments using padded whitespaces, which can take the form of encoded hex characters, such as:
\x20
(Space)\x09
(Horizontal Tab)\x0A
(Linefeed)\x0B
(Vertical Tab)\x0C
(Form Feed)\x0D
(Carriage Return)
These hidden spaces prevent users from seeing malicious arguments in the Windows UI, enabling attackers to execute commands stealthily.
Microsoft has yet to assign a CVE-ID to this vulnerability, while Trend Micro continues to track it as ZDI-CAN-25373. The issue is quite similar to another vulnerability, CVE-2024-43461, which was used by the Void Banshee APT group to launch attacks across North America, Europe, and Southeast Asia. Microsoft patched CVE-2024-43461 during the September 2024 Patch Tuesday.
Despite growing concerns from security researchers, Microsoft has not provided any indication that a patch for ZDI-CAN-25373 will be released, leaving Windows users exposed to ongoing cyber threats.