MS Windows Zero Day Vulnerability Widely Exploited

Uploaded on 2025-03-31 in TECHNOLOGY--Hackers, INTELLIGENCE-Hot Spots-North Korea, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

A security flaw in Microsoft Windows has been used by at least many state-sponsored groups including China, Iran, North Korea, and Russia as part of data theft and espionage since 2017.

The zero-day vulnerability, tracked by Trend Micro's Zero Day Initiative (ZDI), and called ZDI-CAN-25373, allows hackers to execute hidden malicious commands on a victim's machine by leveraging crafted Windows Shortcut or Shell Link (.LNK) files. 

Specifically, this involves the padding of the arguments with Space (0x20), Horizontal Tab (0x09), Line Feed (0x0A), Vertical Tab (\x0B), Form Feed (\x0C), and Carriage Return (0x0D) whitespace characters to evade detection.

Nearly a 1,000 .LNK file artifacts exploiting ZDI-CAN-25373 have been unearthed to date, with a majority of the samples linked to Evil Corp (Water Asena), Kimsuky (Earth Kumiho), Konni (Earth Imp), Bitter (Earth Anansi), and ScarCruft (Earth Manticore).

Fifty percent of the hackers come from the Democratic People’s Republic of Korea (DPRK) and, besides exploiting the flaw at various times, the finding serves as an indication of collaboration across the various units operating in the malign cyber apparatus of  which has been built up by the North Korean regime.

In expert comment, Craig Watt, Threat Intelligence Consultant at Quorum Cyber, said, "The fact that approximately half of the state actors involved in these campaigns have been attributed to the DPRK  likely demonstrates cross-collaboration between threat clusters operating within Pyongyang's cyber apparatus."

"Although zero-day exploits have regularly been targeted by DPRK cyber actors for initial access, the deployment of LNK files reflects a tradecraft expansion within Pyongyang’s cyber programme, with previous attacks relying on document-based payloads... These operations are likely designed to enhance North Korea’s cyber espionage capabilities as the DPRK seeks to bridge gaps within its weapons programs, as well as to enhance its state survival in response to isolation from the international community due to sanctions."

"The indications are that governments, private entities, financial organisations, think tanks, telecommunication service providers, and military agencies located in the United States, Canada, Russia, South Korea, Vietnam, and Brazil have become the primary targets of attacks exploiting the vulnerability." Watt concludes.

Microsoft has classified the issue as low severity and has no plan to release a fix since .LNK is amongst the list that has been blocked across its products such as Outlook, Word, Excel, PowerPoint, and OneNote. As a result, attempting to open such files downloaded from the web automatically initiates a security warning, advising users not to open files from unknown sources. 

Furthermore, Microsoft has pointed out that the method outlined by ZDI is of limited practical use to an attacker, and that Microsoft Defender's content scanning code has the ability to scan these files and recognise the technique to identify malicious files.

Although the campaigns have targeted victims worldwide, they have focused on North America, South America, Europe, East Asia, and Australia. Out of all the attacks analysed, nearly 70% were linked to espionage and data theft, while financial gain accounted for  20%.

Trend Micro  |    Microsoft  |    NK News   |    Hacker News   |   Bleeping Computer  |   Yahoo  |   

Image: @thezdi

You Might Also Read: 

Hackers Use Windows Backdoor To Deliver BadSpace:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible



 

« Taiwanese Hackers Accused Of Attacking China
23andMe Goes Bankrupt Following Disastrous Data Breach »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

Baker McKenzie

Baker McKenzie

Baker & McKenzie is an international law firm. Practice areas include Data & Technology.

Morgan Lewis Law

Morgan Lewis Law

Morgan Lewis is an international law firm with offices in North America, Europe, Asia, and the Middle East. Practice areas include Privacy and Cybersecurity.

CyberSec.sk (CSSk)

CyberSec.sk (CSSk)

CyberSec.sk is the Slovak portal bringing the latest cyber security news, politics, tips and instructions on how to protect the internet.

exceet Secure Solutions

exceet Secure Solutions

exceet Secure Solutions is your experienced specialist for Internet of Things (IoT), Heath Telematics, electronic signatures and timestamps and IT security.

Elemendar

Elemendar

Elemendar Artificial Intelligence reads cyber threat reports written by humans and translates them into industry-standard, machine-readable and machine-actionable data.

Fischer Identity

Fischer Identity

Fischer Identity provide identity & access management and identity governance administration solutions.

Blockchain Reactor

Blockchain Reactor

Blockchain Reactor is a blockchain consultancy and implementation company providing cutting-edge blockchain solutions for start-ups and enterprises.

Sum&Substance (Sumsub)

Sum&Substance (Sumsub)

Sum&Substance is a developer of remote verification solutions. Our technology allows online services around the world to meet regulatory requirements, prevent fraud and enhance customer confidence.

PurpleSynapz

PurpleSynapz

PurpleSynapz provides hyper-realistic Cyber Security Training with a modern curriculum and Cyber Range.

NI Cyber Security Centre

NI Cyber Security Centre

NI Cyber Security Centre works to make Northern Ireland cyber safe, secure and resilient for its citizens and businesses.

Palitronica

Palitronica

Palitronica build cutting-edge hardware and breakthrough software that revolutionizes how we defend critical infrastructure and key resources.

Appalachia Technologies

Appalachia Technologies

Appalachia is a full service Managed Services Provider with a focus on cybersecurity, backed by the best engineers.

Fullstack Academy

Fullstack Academy

A trailblazer in bootcamp education, Fullstack Academy prepares students for fulfilling careers in tech through our NYC campus, online learning, and university partnerships.

Infosec Institute

Infosec Institute

Infosec is a leading cybersecurity training company, we help IT and security professionals advance their careers with skills development and certifications.

ExtraHop

ExtraHop

ExtraHop's dynamic cyber defense platform uses cloud-scale AI to help enterprises detect and respond to advanced threats - before they compromise your business.

BreachRx

BreachRx

BreachRx is the first intelligent incident response management platform that provides operational resilience for the entire enterprise.