_NicoElNino_Alamy.png?#)
![Apple C1 vs Qualcomm Modem Performance [Speedtest]](https://www.iclarified.com/images/news/96767/96767/96767-640.jpg)
![Apple Studio Display On Sale for $1249 [Lowest Price Ever]](https://www.iclarified.com/images/news/96770/96770/96770-640.jpg)
![Alleged Case for Rumored iPhone 17 Air Surfaces Online [Image]](https://www.iclarified.com/images/news/96763/96763/96763-640.jpg)
![Galaxy Tab S10 FE leak reveals Samsung’s 10.9-inch and 13.1-inch tablets in full [Gallery]](https://i0.wp.com/9to5google.com/wp-content/uploads/sites/4/2025/03/galaxy-tab-s10-fe-wf-10.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1)
_Kjetil_Kolbjørnsrud_Alamy.jpg?#)
![[The AI Show Episode 139]: The Government Knows AGI Is Coming, Superintelligence Strategy, OpenAI’s $20,000 Per Month Agents & Top 100 Gen AI Apps](https://www.marketingaiinstitute.com/hubfs/ep%20139%20cover-2.png)
![[The AI Show Episode 138]: Introducing GPT-4.5, Claude 3.7 Sonnet, Alexa+, Deep Research Now in ChatGPT Plus & How AI Is Disrupting Writing](https://www.marketingaiinstitute.com/hubfs/ep%20138%20cover.png)
-I-Interviewed-Niantic-about-Selling-Pokémon-GO-to-Scopely-00-14-13.png?width=1920&height=1920&fit=bounds&quality=80&format=jpg&auto=webp#)
.jpg?#)
8-Year Old Windows Shortcut Zero-Day Exploited by 11 State-Sponsored Hacker Groups
A critical Windows vulnerability that has been exploited since 2017 by state-sponsored threat actors has been uncovered recently by researchers. The vulnerability, tracked as ZDI-CAN-25373, allows attackers to execute hidden malicious commands on victims’ machines by leveraging specially crafted Windows shortcut (.lnk) files. This security flaw impacts how Windows displays the contents of shortcut files […] The post 8-Year Old Windows Shortcut Zero-Day Exploited by 11 State-Sponsored Hacker Groups appeared first on Cyber Security News.
A critical Windows vulnerability that has been exploited since 2017 by state-sponsored threat actors has been uncovered recently by researchers.
The vulnerability, tracked as ZDI-CAN-25373, allows attackers to execute hidden malicious commands on victims’ machines by leveraging specially crafted Windows shortcut (.lnk) files.
This security flaw impacts how Windows displays the contents of shortcut files through its user interface.
When users inspect a compromised .lnk file, Windows fails to display the malicious commands hidden within, effectively hiding the true danger of the file.
This exploitation technique has been adopted widely by sophisticated threat actors for cyber espionage operations.
Trend Micro researchers noted nearly 1,000 malicious .lnk files exploit this vulnerability across various campaigns.
Their analysis revealed that 11 state-sponsored groups from North Korea, Iran, Russia, and China have been actively using this technique primarily for espionage and data theft operations.
North Korea is the most active exploiter of this vulnerability, accounting for nearly half of the state-sponsored actors leveraging the technique.
.webp)
This trend underscores the cross-collaboration and tool-sharing patterns within North Korea’s cyber program.
.webp)
Organizations across government, financial, telecommunications, and private sectors have been primary targets of these attacks.
.webp)
The widespread abuse spans multiple continents, with significant activity detected in North America, Europe, and East Asia.
Exploitation Details
The technical basis of the exploit involves padding the COMMAND_LINE_ARGUMENTS structure within .lnk files with specific whitespace characters.
Attackers use Space (0x20), Horizontal Tab (0x09), Line Feed (0x0A), and Carriage Return (0x0D) characters to hide malicious commands from users viewing the file properties.
.webp)
Large amounts of these characters can be observed within the compromised files.
Some North Korean threat actors, such as Earth Manticore (APT37) and Earth Imp (Konni), have been using extremely large .lnk files – with sizes up to 70.1 MB – containing excessive whitespace and junk content to further evade detection.
Security teams can identify suspicious shortcuts using hunting queries such as:-
eventSubId:2 AND (processFilePath:\"*\\cmd.exe\" OR
processFilePath:\"*\\powershell.exe\") AND
parentFilePath:\"*.lnk\"Microsoft has classified this vulnerability as low severity and does not plan to issue a security patch. Organizations are advised to implement proper security controls and remain vigilant against suspicious shortcut files to protect against this persistent threat.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
The post 8-Year Old Windows Shortcut Zero-Day Exploited by 11 State-Sponsored Hacker Groups appeared first on Cyber Security News.
