MS Windows Zero Day Vulnerability Widely Exploited

Uploaded on 2025-03-31 in TECHNOLOGY--Hackers, INTELLIGENCE-Hot Spots-North Korea, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

A security flaw in Microsoft Windows has been used by at least many state-sponsored groups including China, Iran, North Korea, and Russia as part of data theft and espionage since 2017.

The zero-day vulnerability, tracked by Trend Micro's Zero Day Initiative (ZDI), and called ZDI-CAN-25373, allows hackers to execute hidden malicious commands on a victim's machine by leveraging crafted Windows Shortcut or Shell Link (.LNK) files. 

Specifically, this involves the padding of the arguments with Space (0x20), Horizontal Tab (0x09), Line Feed (0x0A), Vertical Tab (\x0B), Form Feed (\x0C), and Carriage Return (0x0D) whitespace characters to evade detection.

Nearly a 1,000 .LNK file artifacts exploiting ZDI-CAN-25373 have been unearthed to date, with a majority of the samples linked to Evil Corp (Water Asena), Kimsuky (Earth Kumiho), Konni (Earth Imp), Bitter (Earth Anansi), and ScarCruft (Earth Manticore).

Fifty percent of the hackers come from the Democratic People’s Republic of Korea (DPRK) and, besides exploiting the flaw at various times, the finding serves as an indication of collaboration across the various units operating in the malign cyber apparatus of  which has been built up by the North Korean regime.

In expert comment, Craig Watt, Threat Intelligence Consultant at Quorum Cyber, said, "The fact that approximately half of the state actors involved in these campaigns have been attributed to the DPRK  likely demonstrates cross-collaboration between threat clusters operating within Pyongyang's cyber apparatus."

"Although zero-day exploits have regularly been targeted by DPRK cyber actors for initial access, the deployment of LNK files reflects a tradecraft expansion within Pyongyang’s cyber programme, with previous attacks relying on document-based payloads... These operations are likely designed to enhance North Korea’s cyber espionage capabilities as the DPRK seeks to bridge gaps within its weapons programs, as well as to enhance its state survival in response to isolation from the international community due to sanctions."

"The indications are that governments, private entities, financial organisations, think tanks, telecommunication service providers, and military agencies located in the United States, Canada, Russia, South Korea, Vietnam, and Brazil have become the primary targets of attacks exploiting the vulnerability." Watt concludes.

Microsoft has classified the issue as low severity and has no plan to release a fix since .LNK is amongst the list that has been blocked across its products such as Outlook, Word, Excel, PowerPoint, and OneNote. As a result, attempting to open such files downloaded from the web automatically initiates a security warning, advising users not to open files from unknown sources. 

Furthermore, Microsoft has pointed out that the method outlined by ZDI is of limited practical use to an attacker, and that Microsoft Defender's content scanning code has the ability to scan these files and recognise the technique to identify malicious files.

Although the campaigns have targeted victims worldwide, they have focused on North America, South America, Europe, East Asia, and Australia. Out of all the attacks analysed, nearly 70% were linked to espionage and data theft, while financial gain accounted for  20%.

Trend Micro  |    Microsoft  |    NK News   |    Hacker News   |   Bleeping Computer  |   Yahoo  |   

Image: @thezdi

You Might Also Read: 

Hackers Use Windows Backdoor To Deliver BadSpace:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible



 

« Taiwanese Hackers Accused Of Attacking China
23andMe Goes Bankrupt Following Disastrous Data Breach »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

baramundi software

baramundi software

baramundi software AG provides companies and organizations with efficient, secure, and cross-platform management of workstation environments.

JPCERT/CC

JPCERT/CC

JPCERT/CC is the first Computer Security Incident Response Team (CSIRT) established in Japan.

National Cyber League (NCL)

National Cyber League (NCL)

The NCL provides a virtual training ground for participants to develop, practice, and validate their cybersecurity knowledge and skills.

7 Elements

7 Elements

7 Elements is an independent IT security testing company providing expertise in technical information assurance through security testing, incident response and consultancy.

Get Safe Online

Get Safe Online

Get Safe Online is a leading source of unbiased, factual and easy-to-understand information on online safety.

TES

TES

TES is a provider of IT Lifecycle Services, offering bespoke solutions that help customers manage the commissioning, deployment and retirement of Information Technology assets.

ICS-CSR

ICS-CSR

ICS-CSR is a research conference bringing together researchers with an interest in the security of industrial control systems.

Cambridge Cybercrime Centre

Cambridge Cybercrime Centre

The Cambridge Cybercrime Centre is a multi-disciplinary initiative combining expertise from the Department of Computer Science and Technology, Institute of Criminology and Faculty of Law.

BrandShield

BrandShield

BrandShield is an anti-counterfeiting, anti-phishing and online brand protection solution.

Resilience Cyber Insurance Solutions

Resilience Cyber Insurance Solutions

Resilience Cyber Insurance combines insurance expertise with cybersecurity and data talent to deliver clear, effective solutions to protect you for the cyberrisks of today—and tomorrow.

Dataprise

Dataprise

Dataprise is a leading IT managed services provider offering IT Management and Help Desk Support Services, Cloud Services, Information Security Solution, IT Strategy and Consulting.

Fortiedge

Fortiedge

Fortiedge is an IT Security solution provider specializing in Cyber Security practices and solutions for our clients.

Abertay cyberQuarter

Abertay cyberQuarter

The Abertay cyberQuarter is a cybersecurity research and development centre housed within Abertay University.

Krista Software

Krista Software

Krista is an intelligent automation platform that combines iPaaS and Conversational AI to automate complete business processes across your teams and apps.

PolySwarm

PolySwarm

PolySwarm is a crowdsourced threat intelligence marketplace that provides a more effective way to detect, analyze and respond to the latest threats.

DV Cyber Security

DV Cyber Security

DV Cyber (formerly A76) is an innovative cyber security company vertically focused on Threat Intelligence and Cyber Security Research.