Since 2017, at least 11 state-sponsored cyber groups have been exploiting a Microsoft zero-day vulnerability that uses Windows shortcut files to steal data and conduct cyber espionage. The flaw, tracked as ZDI-CAN-25373 by Trend Micro’s Zero Day Initiative (ZDI), allows attackers to execute hidden commands through crafted .lnk files.
Nearly 1,000 malicious .lnk files have been identified, with payloads like the Lumma infostealer and Remcos RAT, posing risks to sectors such as government, finance, and energy across North America, Europe, Asia, and Australia. North Korea, Iran, Russia, and China are among the primary perpetrators, with North Korea responsible for over 45% of the attacks.
Despite the ongoing threat, Microsoft has not patched the flaw, claiming it does not meet their severity guidelines. Trend Micro submitted a proof-of-concept exploit but received no response on a patch timeline. In the meantime, Microsoft Defender can detect and block the threat, and Windows Smart App Control prevents harmful file downloads.
Experts find it unusual that such an actively exploited flaw has not been patched sooner. Security professionals recommend organizations scan for exploits, stay alert to suspicious .lnk files, and maintain strong endpoint and network security.
