While many cyber threats come and go, a particularly persistent Windows vulnerability has been silently enabling state-backed hackers for years. Tracked as ZDI-CAN-25373 by Trend Micro’s Zero Day Initiative, this flaw has been exploited by eleven state-sponsored groups since March 2017. That’s right—eight years of active exploitation without a patch. Microsoft doesn’t seem too worried, though. They’ve classified it as “low severity” and declined to fix it.
The vulnerability is pretty clever. It lets attackers hide malicious commands in Windows shortcut (.LNK) files using whitespace padding. Nearly 1,000 malicious samples have been discovered, but experts believe that’s just the tip of the iceberg. The actual number is likely much higher.
The LNK vulnerability’s genius lies in its simplicity—hiding malicious code behind invisible spaces while flying under the radar for years.
And guess which countries are behind these attacks? North Korea leads the pack, responsible for 46% of the activity. China, Russia, and Iran follow closely behind, each keen to get their piece of the digital espionage pie.
These aren’t random attacks, either. The hackers have specific targets: government agencies, financial institutions, telecommunications companies, and critical infrastructure. The military and energy sectors were also identified as key targets. Most attacks (70%) focus on espionage and information theft. Only 20% are about making money. These state actors aren’t amateurs—they’re after valuable intelligence.
The technical aspect is fascinating. The vulnerability exploits how Windows displays command arguments in shortcut files. Users can’t see the malicious parts, so they click away, blissfully unaware they’re compromising their systems. Pretty sneaky.
For organizations worried about this threat, there are ways to protect yourself. Restricting .LNK file execution and using advanced endpoint detection tools can help. But without an official patch from Microsoft, it’s an uphill battle. The vulnerability continues to affect Windows versions prior to Windows 10 build 1809. Organizations can also implement tactical intelligence to identify these specific technical indicators of compromise and better defend their systems.
Eight years of exploitation by nation-states, and still no fix in sight. Security analysts are not impressed.
