Windows Zero-Day Flaw Exploited by 11 State Groups Since 2017 Remains Unpatched

A severe Windows zero-day vulnerability, active since at least 2017, is being used by state-backed hackers from North Korea, China, Iran, and Russia. Despite its long-running exploitation across various industries and nations, the flaw still remains unpatched.

Tracked as ZDI-CAN-25373 by Trend Micro’s Zero Day Initiative (ZDI), the flaw allows attackers to use specially crafted .LNK files — commonly known as Windows shortcuts — to run harmful commands without alerting the user. What’s more troubling is that Microsoft has classified it as low priority and has no immediate plans to fix it.

A Silent Danger Hidden in Everyday Files

How a Simple Shortcut Becomes a Threat

The attack method is as clever as it is quiet. Hackers embed hidden commands inside .LNK files, using whitespace characters like tabs and spaces to mask malicious instructions from antivirus tools.

This allows them to run malware on a system without the user even realizing it. These disguised shortcuts look completely normal, yet they secretly trigger harmful programs when clicked.

A Flaw That Skips the User’s Warning System

What makes this issue more dangerous is that it bypasses visual warnings. According to security experts from ZDI, the Windows interface fails to alert users that a hidden command is being executed, which means users cannot judge whether the shortcut file is safe or suspicious.

This lack of visibility is what places the flaw under a classification called User Interface Misrepresentation, also known as CWE-451.

Eleven Advanced Threat Groups Exploit the Flaw

Attacks from Four Major Nations

Over the years, at least 11 state-sponsored threat actors have taken advantage of this vulnerability. Most notably, the groups originate from:

• North Korea
• China
• Iran
• Russia

Researchers found strong evidence that North Korean cyber groups are working together to share tools and strategies, with multiple attacks pointing to joint operations under different codenames like Kimsuky, Konni, and ScarCruft.

Not Just One Malware Family

Once the hidden shortcut is activated, it can deliver various kinds of malware, including:

• Lumma Stealer
• GuLoader
• Remcos RAT
• Raspberry Robin, used by Evil Corp

These malware programs are known for stealing information, spying on victims, or creating remote access paths for attackers to control infected machines.

Global Impact: From Governments to Private Sectors

Victims Across Six Nations

This vulnerability is not a small-scale threat. ZDI found that it has been used to target major industries and sectors in:

• The United States
• Canada
• Russia
• South Korea
• Vietnam
• Brazil

Affected organizations include government bodies, military departments, telecommunication companies, think tanks, and financial institutions.

Almost 1,000 Malicious Files Found

Since tracking began, researchers have uncovered nearly 1,000 different .LNK files exploiting this zero-day. Each one is slightly unique, customized by different threat groups to avoid detection.

This points to an active, long-term strategy where attackers evolve their tools but keep using the same weak point — a shortcut file that nobody expects to be dangerous.

Microsoft’s Position and Security Measures

Why the Flaw Remains Unpatched

In response to the findings, Microsoft acknowledged the report and thanked ZDI for following a coordinated disclosure process. However, they stated that the flaw does not meet the severity level required for immediate patching.

Instead, Microsoft is relying on existing tools like:

• Microsoft Defender, which scans and blocks malicious content
• Smart App Control, which warns users when unknown files are opened
• File type restrictions in products like Outlook, Excel, and OneNote, which block .LNK files from opening directly

Limited Use According to Microsoft

Microsoft further emphasized that this technique has limited use in real-world attacks, and that Defender’s scanning capabilities are already equipped to detect it.

Even so, cybersecurity experts argue that the ongoing use of the flaw by sophisticated actors shows that it still presents a real and present risk to organizations, especially when layered into broader attack chains.

Why This Vulnerability Is Still Being Used

A Reliable Entry Point for Spies and Cybercriminals

From a hacker’s perspective, ZDI-CAN-25373 is a perfect tool:

• It’s easy to embed in common file types
• It doesn’t require advanced code to activate
• It hides in plain sight, with minimal user interaction
• It works on any version of Windows that handles .LNK files

And since it remains unpatched, there’s no technical reason for attackers to stop using it.

As long as Windows continues to process shortcut files the same way, and users continue to open them without suspicion, this vulnerability will remain a quiet threat lurking inside inboxes, folders, and download directories.

Best Practices for Protecting Against .LNK-Based Attacks

Simple Actions Can Block a Complex Threat

While waiting for a permanent fix, security teams and individuals can still take action. Here’s how:

• Do not open shortcut files from unknown sources
• Disable automatic file execution features where possible
• Train employees to recognize suspicious file types
• Use endpoint detection and response (EDR) tools to scan for hidden scripts
• Keep antivirus tools updated and active at all times
• Restrict .LNK execution in secure environments, especially in shared drives

For organizations in sensitive sectors like defense or telecom, these steps could block a major entry point that advanced threat actors have been using for years.

FAQs

What is ZDI-CAN-25373?
It is a Windows zero-day vulnerability involving .LNK files that can hide malicious commands, allowing attackers to run malware without user consent.

Who is using this flaw?
At least 11 state-sponsored hacker groups from countries like North Korea, China, Iran, and Russia have used it in real-world attacks since 2017.

What kind of malware can be delivered through this flaw?
Malware like Lumma Stealer, GuLoader, Remcos RAT, and Raspberry Robin can be delivered using this method.

Has Microsoft fixed the flaw?
No. Microsoft considers it low severity and has not released a patch. They recommend relying on built-in tools like Defender and Smart App Control.

What makes this flaw hard to detect?
The attack uses hidden characters in shortcut files and avoids showing warning messages to the user, making it difficult for both people and security tools to spot.

How can I stay protected?
Avoid unknown shortcut files, keep your antivirus updated, train users to identify suspicious files, and consider using EDR solutions for added protection.