MS Windows Zero Day Vulnerability Widely Exploited

Uploaded on 2025-03-25 in TECHNOLOGY--Hackers, INTELLIGENCE-Hot Spots-North Korea, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

A security flaw in Microsoft Windows has been used by at least many state-sponsored groups including China, Iran, North Korea, and Russia as part of data theft and espionage since 2017.

The zero-day vulnerability, tracked by Trend Micro's Zero Day Initiative (ZDI), and called ZDI-CAN-25373, allows hackers to execute hidden malicious commands on a victim's machine by leveraging crafted Windows Shortcut or Shell Link (.LNK) files. 

Specifically, this involves the padding of the arguments with Space (0x20), Horizontal Tab (0x09), Line Feed (0x0A), Vertical Tab (\x0B), Form Feed (\x0C), and Carriage Return (0x0D) whitespace characters to evade detection.

Nearly a 1,000 .LNK file artifacts exploiting ZDI-CAN-25373 have been unearthed to date, with a majority of the samples linked to Evil Corp (Water Asena), Kimsuky (Earth Kumiho), Konni (Earth Imp), Bitter (Earth Anansi), and ScarCruft (Earth Manticore).

Fifty percent of the hackers come from N. Korea and, besides exploiting the flaw at various times, the finding serves as an indication of collaboration across the various units operating in N. Korean's cyber apparatus.

The indications are that governments, private entities, financial organisations, think tanks, telecommunication service providers, and military agencies located in the United States, Canada, Russia, South Korea, Vietnam, and Brazil have become the primary targets of attacks exploiting the vulnerability.

Microsoft has classified the issue as low severity and has no plan to release a fix since .LNK is amongst the list that has been blocked across its products such as Outlook, Word, Excel, PowerPoint, and OneNote. As a result, attempting to open such files downloaded from the web automatically initiates a security warning, advising users not to open files from unknown sources. 

Microsoft has pointed out that the method outlined by ZDI is of limited practical use to an attacker, and that Microsoft Defender's content scanning code has the ability to scan these files and recognise the technique to identify malicious files.

Although the campaigns have targeted victims worldwide, they have focused on North America, South America, Europe, East Asia, and Australia. Out of all the attacks analysed, nearly 70% were linked to espionage and data theft, while financial gain accounted for  20%.

Trend Micro  |    Microsoft  |    NK News   |    Hacker News   |   Bleeping Computer  |   Yahoo  |   

Image: @thezdi

You Might Also Read: 

Hackers Use Windows Backdoor To Deliver BadSpace:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible



 

« Taiwanese Hackers Accused Of Attacking China
23andMe Goes Bankrupt Following Disastrous Data Breach »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Global Knowledge Training

Global Knowledge Training

Global Knowledge is a worldwide leader in IT and business training, featuring Cisco, Microsoft, VMware, IBM, security, cloud computing, and project management.

Fredda Stanza

Fredda Stanza

Fredda Stanza specialize in Information Security and Forensics Consulting.

Cybersecurity Philippines CERT (CSP-CERT)

Cybersecurity Philippines CERT (CSP-CERT)

Cybersecurity Philippines CERT is the national Computer Emergency Response Team for the Philippines.

CyberArts

CyberArts

CyberArts is founded on the belief that every single organization deserves and requires the creme de la creme when there is a need for Cyber services.

Cynterra

Cynterra

Cynterra is a next generation cloud cyber security and data analytical service provider offering cloud security compliance, data protection, visibility and threat protection services.

Aptiv

Aptiv

Aptiv is a global technology company that develops safer, greener and more connected solutions enabling the future of mobility.

SOSA

SOSA

SOSA facilitates new growth opportunities by connecting the dots between industry verticals and innovation ecosystems around the world.

CyVolve

CyVolve

Cyvolve is the next great leap forward in data security, ensuring constant encryption and pervasive control over all your data.

DatChat

DatChat

DatChat Inc. is a blockchain, cybersecurity, and social media company that focuses on protecting privacy on our devices and also protecting our information after we have shared it with others.

KT Secure

KT Secure

KTSecure’s mission is to provide proven and productive cyber security solutions and managed services, backed by our highly qualified and passionate team of experts.

TotalAV

TotalAV

TotalAV Antivirus is a free-to-use app packed with all the essential features to find and remove malware, keeping you safe.

Paubox

Paubox

Paubox offers secure, HIPAA compliant email and marketing solutions to fit the needs of modern healthcare organizations of every size.

FutureRange

FutureRange

Specialising in IT Managed Services, Cybersecurity and Digital Transformation, FutureRange experts provide professional IT services for clients throughout Ireland and beyond.

Two99

Two99

Two99 provide tailored excellence in the areas of E-Commerce, Marketing, Consulting, and Cyber Security.

Token

Token

Token is changing the way our customers secure their organizations by providing passwordless, biometric, multifactor authentication.

Defence Logic

Defence Logic

Defence Logic is a cyber security company serving clients in many business sectors. Our consultancy services include Penetration Testing, Security Reviews and Monitoring.