Windows Shortcut Exploit Abused as Zero-Day in Widespread APT Campaigns
Essential information
- Published
- 18/03/2025 20:59
- Modified
- 19/03/2025 09:51
- Tags
- 2025-03-18 apt command execution data theft espionage lnk raspberry robin shortcut vulnerability windows zero-day
- Related entities
- 200 observables, 6 techniques (mitre), 1 malware, 38 others
Description
A Windows .lnk file vulnerability, ZDI-CAN-25373, has been extensively exploited by state-sponsored and cybercriminal groups. The vulnerability allows hidden command execution through crafted shortcut files, exposing organizations to data theft and cyber espionage risks. Nearly 1,000 malicious .lnk files abusing this vulnerability have been identified, with APT groups from North Korea, Iran, Russia, and China involved in the attacks. Targeted sectors include government, finance, telecommunications, military, and energy across North America, Europe, Asia, South America, and Australia. The exploitation leverages hidden command line arguments within .lnk files, complicating detection. Organizations are urged to implement security measures and maintain vigilance against suspicious .lnk files.