Hackers backed by North Korea, Iran, Russia, and China are exploiting a critical Windows vulnerability that Microsoft has left unpatched for over six months. The flaw, tracked as ZDI-CAN-25373, lets attackers hide malicious commands in seemingly innocent shortcut files. It’s been lurking in Windows for eight years. Eight. Years.
Microsoft knows about it. They just don’t seem to care much. The company’s response? This isn’t really a “vulnerability” – it’s more of a UI issue. Tell that to the 300+ organizations now dealing with compromised systems.
North Korean groups are the worst offenders, responsible for nearly half the attacks. APT43 and APT37, Pyongyang’s digital attack dogs, have been particularly busy. Iran, Russia, and China aren’t far behind, collectively accounting for another 20% of observed incidents. Even India and Pakistan are getting in on the action, mainly by targeting each other. Neighborly.
State-sponsored digital predators circle their prey, with North Korea leading the hunt and others eagerly joining the feeding frenzy.
The attack is clever in its simplicity. Bad actors craft .lnk shortcut files that look like normal documents. Windows helpfully hides the .lnk extension, so users have no idea what they’re actually clicking. The malicious payload executes silently, no user consent required. Sneaky.
Government agencies are the primary targets, but financial institutions, telecom providers, military organizations, and energy companies are all on the menu. The vulnerability has been actively exploited since 2017 without interruption. The United States has been hardest hit with 343 confirmed attacks, followed by Canada, Russia, and South Korea. Nearly 1,000 malicious shortcut files have been identified so far. The actual number is certainly much higher.
Security experts are frustrated. The vulnerability was reported six months ago, yet Microsoft continues to drag its feet. Their advice to users in the meantime? Be careful what you download. Gee, thanks.
For now, organizations are left to implement their own protections: monitoring for suspicious .lnk files, restricting execution of unknown shortcuts, and educating employees about the threat. These attacks often employ infostealer trojans that can spread through networks within minutes, compromising entire systems rapidly. But without a proper patch from Microsoft, it’s just a digital game of whack-a-mole. And the nation-state hackers keep swinging.
