{"id":20898,"date":"2025-05-08T17:16:35","date_gmt":"2025-05-08T10:16:35","guid":{"rendered":"https:\/\/fpt-is.com\/en\/?post_type=goc_nhin_so&#038;p=20898"},"modified":"2025-06-02T11:54:22","modified_gmt":"2025-06-02T04:54:22","slug":"zdi-can-25373-serious-zero-day-hole-in-windows-shortcut-is-widely-exploited","status":"publish","type":"goc_nhin_so","link":"https:\/\/fpt-is.com\/en\/insights\/zdi-can-25373-serious-zero-day-hole-in-windows-shortcut-is-widely-exploited\/","title":{"rendered":"ZDI-CAN-25373: Serious zero-day hole in Windows shortcut is widely exploited"},"content":{"rendered":"<p><span style=\"font-family: arial, helvetica, sans-serif\"><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Lo-hong-Zero-day-FPT-IS-1-1743415193.webp\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-20899\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Lo-hong-Zero-day-FPT-IS-1-1743415193.webp\" alt=\"Lo Hong Zero Day Fpt Is 1 1743415193\" width=\"976\" height=\"533\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Lo-hong-Zero-day-FPT-IS-1-1743415193.webp 976w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Lo-hong-Zero-day-FPT-IS-1-1743415193-700x382.webp 700w\" sizes=\"(max-width: 976px) 100vw, 976px\" \/><\/a><\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">In March 2025, the Trend Zero Day Initiative\u2122 (ZDI) announced an extremely critical zero-day vulnerability in Windows Shortcut files (.lnk) that allows attackers to execute hidden malicious commands on a victim&#8217;s machine. The vulnerability, tracked as ZDI-CAN-25373, has been actively exploited recently. This vulnerability has been used by 11 state-sponsored hacking groups from China, Iran, North Korea, and Russia in cyber espionage and data theft campaigns since 2017.<\/span><\/p>\n<h2 id=\"heading-details\" class=\"permalink-heading\"><span style=\"font-family: arial, helvetica, sans-serif;font-size: 18pt\"><strong>Details<\/strong><\/span><\/h2>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">These attack groups have used specially crafted .lnk files to execute malicious payloads, making detection difficult. The affected sectors include government, finance, telecommunications, military, and energy in North America, Europe, Asia, South America, and Australia. Although this vulnerability was reported to Microsoft in September 2024, the company decided not to release a security patch for this issue.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\"><strong><em>Vulnerability ID:<\/em>\u00a0ZDI-CAN-25373<\/strong><\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\"><strong><em>Severity Level:<\/em>\u00a0High<\/strong><\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\"><strong><em>CVSS Score:<\/em>\u00a07.0<\/strong><\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\"><strong><em>Description:<\/em><\/strong>\u00a0The vulnerability involves how Windows handles Shortcut (.lnk) files, allowing attackers to execute remote code without user interaction.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">During the exploitation of this vulnerability, experts discovered its widespread abuse by various hacker groups. These threats include a mix of state-sponsored APT groups as well as non-state actors. Many of these groups have shown a high level of sophistication in their attack chains and have a history of exploiting zero-day vulnerabilities.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\" data-rmiz=\"\"><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Lo-hong-Zero-day-FPT-IS-2-1743415196.png\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-20900\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Lo-hong-Zero-day-FPT-IS-2-1743415196.png\" alt=\"Lo Hong Zero Day Fpt Is 2 1743415196\" width=\"1042\" height=\"625\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Lo-hong-Zero-day-FPT-IS-2-1743415196.png 1042w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Lo-hong-Zero-day-FPT-IS-2-1743415196-700x420.png 700w\" sizes=\"(max-width: 1042px) 100vw, 1042px\" \/><\/a><\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\"><strong>ZDI-CAN-25373<\/strong>\u00a0is currently being actively exploited by various countries around the world. Nearly half of these originate from North Korea, notably with most attacks based on ZDI-CAN-25373 occurring at different times.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\"><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Lo-hong-Zero-day-FPT-IS-3-1743415199.png\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-20901\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Lo-hong-Zero-day-FPT-IS-3-1743415199.png\" alt=\"Lo Hong Zero Day Fpt Is 3 1743415199\" width=\"1042\" height=\"730\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Lo-hong-Zero-day-FPT-IS-3-1743415199.png 1042w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Lo-hong-Zero-day-FPT-IS-3-1743415199-700x490.png 700w\" sizes=\"(max-width: 1042px) 100vw, 1042px\" \/><\/a><\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\"><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Lo-hong-Zero-day-FPT-IS-4-1743415202.png\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-20902\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Lo-hong-Zero-day-FPT-IS-4-1743415202.png\" alt=\"Lo Hong Zero Day Fpt Is 4 1743415202\" width=\"1042\" height=\"585\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Lo-hong-Zero-day-FPT-IS-4-1743415202.png 1042w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Lo-hong-Zero-day-FPT-IS-4-1743415202-700x393.png 700w\" sizes=\"(max-width: 1042px) 100vw, 1042px\" \/><\/a><\/span><\/p>\n<h2 id=\"heading-main-target-of-zdi-can-25373\" class=\"permalink-heading\"><span style=\"font-family: arial, helvetica, sans-serif;font-size: 18pt\"><strong>Main Target of ZDI-CAN-25373<\/strong><\/span><\/h2>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">In recent campaigns, the main targets that attackers aim at through the vulnerability include:<\/span><\/p>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Government sectors<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Privacy<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Finance, including cryptocurrency-related areas<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Non-governmental organizations (NGOs)<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Telecommunications<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Military and Defense<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Energy<\/span><\/li>\n<\/ul>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">Organizations in these sectors are at higher risk of exploitation and should scan to ensure immediate security mitigation for the\u00a0<strong>ZDI-CAN-25373<\/strong>\u00a0vulnerability, as well as remain cautious of\u00a0<code>.lnk<\/code>\u00a0files in general.<\/span><\/p>\n<h2 id=\"heading-exploitation-method\" class=\"permalink-heading\"><span style=\"font-family: arial, helvetica, sans-serif;font-size: 18pt\"><strong>Exploitation Method<\/strong><\/span><\/h2>\n<p><span style=\"font-family: arial, helvetica, sans-serif\"><strong>ZDI-CAN-25373<\/strong>\u00a0is related to how Windows displays the contents of (.lnk) files through the Windows UI. By exploiting this vulnerability, an attacker can prepare a malicious .lnk file to send to a victim. When the victim examines the file using the Windows-provided user interface, it is difficult for them to recognize that the file contains any malicious content.<\/span><\/p>\n<ol>\n<li>\n<h3><span style=\"font-family: arial, helvetica, sans-serif;font-size: 14pt\"><strong>Create a Malicious Shortcut (.lnk) File<\/strong><\/span><\/h3>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">A malicious shortcut file is created for exploitation, requiring\u00a0<strong>COMMAND_LINE_ARGUMENTS<\/strong>\u00a0&#8211; command-line arguments passed to a program when it is executed.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">An attacker can\u00a0<strong>exploit COMMAND_LINE_ARGUMENTS<\/strong>\u00a0to:<\/span>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Run malicious PowerShell scripts<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Download and execute remote code<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Combine with LOLBins to evade detection<\/span><\/li>\n<\/ul>\n<\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Besides\u00a0<strong>COMMAND_LINE_ARGUMENTS, whitespace characters are also used for exploitation purposes<\/strong>.<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ol>\n<p><span style=\"font-family: arial, helvetica, sans-serif\" data-rmiz=\"\"><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Lo-hong-Zero-day-FPT-IS-5-1743415205.webp\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-20903\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Lo-hong-Zero-day-FPT-IS-5-1743415205.webp\" alt=\"Lo Hong Zero Day Fpt Is 5 1743415205\" width=\"899\" height=\"334\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Lo-hong-Zero-day-FPT-IS-5-1743415205.webp 899w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Lo-hong-Zero-day-FPT-IS-5-1743415205-700x260.webp 700w\" sizes=\"(max-width: 899px) 100vw, 899px\" \/><\/a><\/span><\/p>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Attackers typically use two main methods to create a malicious Shortcut file:<\/span>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Method 1: Create a Shortcut with PowerShell<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><span style=\"font-family: arial, helvetica, sans-serif\" data-rmiz=\"\"><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Lo-hong-Zero-day-FPT-IS-6-1743415208.webp\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-20904\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Lo-hong-Zero-day-FPT-IS-6-1743415208.webp\" alt=\"Lo Hong Zero Day Fpt Is 6 1743415208\" width=\"736\" height=\"238\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Lo-hong-Zero-day-FPT-IS-6-1743415208.webp 736w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Lo-hong-Zero-day-FPT-IS-6-1743415208-700x226.webp 700w\" sizes=\"(max-width: 736px) 100vw, 736px\" \/><\/a><\/span><\/p>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Method 2: Create a Malicious Shortcut with Metasploit. Then, set up a listener to receive connections.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-family: arial, helvetica, sans-serif\" data-rmiz=\"\"><a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Lo-hong-Zero-day-FPT-IS-7-1743415211.webp\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-20905\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Lo-hong-Zero-day-FPT-IS-7-1743415211.webp\" alt=\"Lo Hong Zero Day Fpt Is 7 1743415211\" width=\"741\" height=\"114\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Lo-hong-Zero-day-FPT-IS-7-1743415211.webp 741w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Lo-hong-Zero-day-FPT-IS-7-1743415211-700x108.webp 700w\" sizes=\"(max-width: 741px) 100vw, 741px\" \/><\/a><\/span><\/p>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">If a user checks the .lnk file containing this malware, Windows will not be able to display the malicious command-line arguments in the user interface because these arguments are completely hidden from the user&#8217;s view.<a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Lo-hong-Zero-day-FPT-IS-8-1743415215.png\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-20906\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Lo-hong-Zero-day-FPT-IS-8-1743415215.png\" alt=\"Lo Hong Zero Day Fpt Is 8 1743415215\" width=\"407\" height=\"509\" \/><\/a><\/span><\/li>\n<\/ul>\n<ol start=\"2\">\n<li>\n<h3><span style=\"font-family: arial, helvetica, sans-serif;font-size: 14pt\"><strong>Distribute Malicious Files<\/strong><\/span><\/h3>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Once a malicious\u00a0<code>.lnk<\/code>\u00a0shortcut is created, attackers use various methods to distribute the\u00a0<code>.lnk<\/code>\u00a0file, including:<\/span>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Phishing Emails<\/strong>: Attach the shortcut in an email with enticing content to trick the victim into opening the file.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>USB Drives &amp; External Storage Devices<\/strong>: When plugged into a computer, the shortcut automatically executes the malware.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Downloads from Malicious Websites<\/strong>: Lure victims into downloading the shortcut file from fraudulent websites.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Internal Network Attacks<\/strong>: Spread the shortcut through shared folders on the corporate network.<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>\n<h3><span style=\"font-family: arial, helvetica, sans-serif;font-size: 14pt\"><strong>Execute Malicious Shortcut File<\/strong><\/span><\/h3>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">The malicious\u00a0<code>.lnk<\/code>\u00a0file, once distributed on the victim&#8217;s machine, uses\u00a0<strong>malicious arguments<\/strong>\u00a0to execute malware on the Windows system.<a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Lo-hong-Zero-day-FPT-IS-9-1743415218.png\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-20907\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Lo-hong-Zero-day-FPT-IS-9-1743415218.png\" alt=\"Lo Hong Zero Day Fpt Is 9 1743415218\" width=\"1144\" height=\"269\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Lo-hong-Zero-day-FPT-IS-9-1743415218.png 1144w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Lo-hong-Zero-day-FPT-IS-9-1743415218-700x165.png 700w\" sizes=\"(max-width: 1144px) 100vw, 1144px\" \/><\/a><\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">This Shortcut file has been disguised by attackers as a PDF file to trick users into opening it. In reality, it is not a\u00a0<code>.pdf<\/code>\u00a0file but a\u00a0<strong>shortcut<\/strong>\u00a0<code>.lnk<\/code>\u00a0pointing to a Windows system file.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">The attacker will use:\u00a0<code>\"..\\..\\..\\WINDOWS\\system32\\conhost.exe\"<\/code>\u00a0exploiting:\u00a0<code>conhost.exe<\/code>\u00a0as a legitimate Windows process, commonly used to run\u00a0<strong>cmd.exe<\/strong>\u00a0in a command-line environment. This allows\u00a0<strong>silent execution of malicious code<\/strong>.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Notably, the .lnk file contains a command line parameter:\u00a0<strong>Command Line Arguments<\/strong>\u00a0that is extremely dangerous.<\/span>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><code>headless ssh<\/code>: This could be a\u00a0<strong>hidden SSH session<\/strong>, which might involve opening a\u00a0<strong>remote connection<\/strong>\u00a0or exploiting the system.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><code>\u2014o ProxyCommand=\"cmd \/c msg * Error Oxde23a: Incomplete File.\u201d<\/code><\/span>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><code>cmd \/c<\/code>\u00a0\u2192 Executes the\u00a0<strong>msg<\/strong>\u00a0command (displays a fake error message).<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><code>Error Oxde23a: Incomplete File.<\/code>\u00a0\u2192\u00a0<strong>The attacker tricks the victim into thinking there is a file error.<\/strong><\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Purpose:<\/strong>\u00a0To possibly lure the victim into clicking OK, then continue executing the malware.<\/span><\/li>\n<\/ul>\n<\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">\u00a0<code>C:\\Program Files (xB6)\\Microsoft\\Edge\\Application\\msedge.exe<\/code><\/span>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Points to the Microsoft Edge browser, which can be used to open malicious websites or run remote scripts.<\/span><\/li>\n<\/ul>\n<\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">In the .lnk file, a\u00a0<code>'*'<\/code>\u00a0is noted. If set from a system file, it makes the shortcut appear like a valid PDF file.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">Finally, a part of the malicious file is identified as\u00a0<strong>payload, macro, or shellcode<\/strong>..<a href=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Lo-hong-zero-day-FPT-IS-10-1743415221.webp\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-20908\" src=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Lo-hong-zero-day-FPT-IS-10-1743415221.webp\" alt=\"Lo Hong Zero Day Fpt Is 10 1743415221\" width=\"767\" height=\"64\" srcset=\"https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Lo-hong-zero-day-FPT-IS-10-1743415221.webp 767w, https:\/\/cdn.fpt-is.com\/en\/sites\/3\/Lo-hong-zero-day-FPT-IS-10-1743415221-700x58.webp 700w\" sizes=\"(max-width: 767px) 100vw, 767px\" \/><\/a><\/span>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">This is the\u00a0<strong>SHA-256 hash<\/strong>\u00a0of the data inserted into the shortcut.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\">The attacker can\u00a0<strong>embed malware directly into the<\/strong>\u00a0<code>.lnk<\/code>\u00a0shortcut or use it to load a remote payload.<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n<h2 id=\"heading-recommendation\" class=\"permalink-heading\"><span style=\"font-family: arial, helvetica, sans-serif;font-size: 18pt\"><strong>Recommendation<\/strong><\/span><\/h2>\n<ol>\n<li>\n<h3><span style=\"font-family: arial, helvetica, sans-serif;font-size: 14pt\"><strong>Enhance user awareness and training<\/strong><\/span><\/h3>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Alert users<\/strong>\u00a0about the risks of unknown or suspicious shortcut (.lnk) files.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Train<\/strong>\u00a0employees to recognize and avoid opening unidentified files or links in emails or on the internet.<\/span><\/li>\n<\/ul>\n<\/li>\n<li>\n<h3><span style=\"font-family: arial, helvetica, sans-serif;font-size: 14pt\"><strong>Configure systems to minimize risk:<\/strong><\/span><\/h3>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Show file extensions<\/strong>: Ensure the system does not hide familiar file extensions, making it easier for users to identify suspicious files.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Block .lnk file execution<\/strong>\u00a0from untrusted sources or in temporary directories.<\/span><\/li>\n<\/ul>\n<\/li>\n<li>\n<h3><span style=\"font-family: arial, helvetica, sans-serif;font-size: 14pt\"><strong>Use and update security software:<\/strong><\/span><\/h3>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Install and update<\/strong>\u00a0security solutions like antivirus software, firewalls, and intrusion detection systems (IDS) to detect and block malicious .lnk files.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Use security solutions capable of detecting<\/strong>\u00a0unusual behaviors related to .lnk files.<\/span><\/li>\n<\/ul>\n<\/li>\n<li>\n<h3><span style=\"font-family: arial, helvetica, sans-serif;font-size: 14pt\">Apply additional security measures:<\/span><\/h3>\n<ul>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Implement the principle of least privilege<\/strong>: Ensure users have only the necessary access to minimize the impact of exploiting vulnerabilities.<\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Update systems and software<\/strong>: Although Microsoft has not yet released a patch for this vulnerability, keeping systems and software updated can reduce the risk from other vulnerabilities.<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ol>\n<h2 id=\"heading-conclusion\" class=\"permalink-heading\"><span style=\"font-family: arial, helvetica, sans-serif;font-size: 18pt\"><strong>Conclusion<\/strong><\/span><\/h2>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">The threat posed by APTs originating from nation-states, as well as from sophisticated cybercriminal groups, presents significant risks to the security, integrity, and availability of data maintained by governments, critical infrastructure, and private organizations worldwide. Among the 11 state-sponsored APT groups exploiting ZDI-CAN-25373, most have a documented history of exploiting zero-day vulnerabilities in attacks. These vulnerabilities are particularly risky because they target flaws that are still unknown to software vendors and lack corresponding security patches, thus leaving governments and organizations vulnerable to exploitation. This increasing rate of exploitation demands the implementation of comprehensive security solutions to effectively protect critical assets and industries.<\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\">This vulnerability was reported to Microsoft through Trend ZDI&#8217;s &#8220;bug bounty&#8221; program. Microsoft has classified this as low severity, and it will not be patched in the near future.<\/span><\/p>\n<h1 id=\"heading-ioc\" class=\"permalink-heading\"><span style=\"font-family: arial, helvetica, sans-serif;font-size: 18pt\"><strong>IOC<\/strong><\/span><\/h1>\n<ol>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><a href=\"http:\/\/trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/c\/zdi-can-25373-windows-shortcut-exploit-abused-as-zero-day-in-widespread-apt-campaigns\/IOCs_ZDI-CAN-25373.txt\" target=\"_blank\" rel=\"noopener nofollow\">trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/c\/zdi-can-25373-windows-shortcut-exploit-abused-as-zero-day-in-widespread-apt-campaigns\/IOCs_ZDI-CAN-25373.txt<\/a><\/span><\/li>\n<\/ol>\n<h1 id=\"heading-reference\" class=\"permalink-heading\"><span style=\"font-family: arial, helvetica, sans-serif;font-size: 18pt\"><strong>Reference<\/strong><\/span><\/h1>\n<ol>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/25\/c\/windows-shortcut-zero-day-exploit.html\" target=\"_blank\" rel=\"noopener nofollow\">ZDI-CAN-25373 Windows Shortcut Exploit Abused as Zero-Day in Widespread APT Campaigns | Trend Micro (US)<\/a><\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><a href=\"https:\/\/www.linkedin.com\/posts\/jpcastro_zeroday-apt-cybersecurity-activity-7307810637789675521-WMbC\/?utm_source=share&amp;utm_medium=member_desktop&amp;rcm=ACoAAEvRpcYBhO2hZKABtwoNnMAc1xZ3wyW4364\" target=\"_blank\" rel=\"noopener nofollow\">(15) B\u00e0i \u0111\u0103ng | LinkedIn<\/a><\/span><\/li>\n<li><span style=\"font-family: arial, helvetica, sans-serif\"><a href=\"https:\/\/www.linkedin.com\/posts\/jpcastro_zeroday-apt-cybersecurity-activity-7307810637789675521-WMbC\/?utm_source=share&amp;utm_medium=member_desktop&amp;rcm=ACoAAEvRpcYBhO2hZKABtwoNnMAc1xZ3wyW4364\" target=\"_blank\" rel=\"noopener nofollow\">Unpatched Windows Zer<\/a><a href=\"https:\/\/thehackernews.com\/2025\/03\/unpatched-windows-zero-day-flaw.html\" target=\"_blank\" rel=\"noopener nofollow\">o-Day Flaw Exploited by 11 State-Sponsored Threat Groups Since 2017<\/a><\/span><\/li>\n<\/ol>\n<table style=\"border-collapse: collapse;width: 100%\">\n<tbody>\n<tr>\n<td style=\"width: 100%\"><span style=\"font-family: arial, helvetica, sans-serif\"><strong>Exclusive article by FPT IS Technology Experts<\/strong><\/span><\/p>\n<p><span style=\"font-family: arial, helvetica, sans-serif\"><em>Luu Tuan Anh \u2013 FPT IS Cyber Security Center<\/em><\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"author":21,"featured_media":21396,"parent":0,"template":"","nang_luc":[790,821],"danh_muc_goc_nhin_so":[789],"dich_vu":[712],"linh_vuc":[],"platform":[],"san_pham":[],"the_goc_nhin_so":[],"class_list":["post-20898","goc_nhin_so","type-goc_nhin_so","status-publish","has-post-thumbnail","hentry","nang_luc-experts-sharing","nang_luc-security","danh_muc_goc_nhin_so-expert-sharing","dich_vu-security"],"acf":[],"_links":{"self":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/goc_nhin_so\/20898","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/goc_nhin_so"}],"about":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/types\/goc_nhin_so"}],"author":[{"embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/users\/21"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/media\/21396"}],"wp:attachment":[{"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/media?parent=20898"}],"wp:term":[{"taxonomy":"nang_luc","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/nang_luc?post=20898"},{"taxonomy":"danh_muc_goc_nhin_so","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/danh_muc_goc_nhin_so?post=20898"},{"taxonomy":"dich_vu","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/dich_vu?post=20898"},{"taxonomy":"linh_vuc","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/linh_vuc?post=20898"},{"taxonomy":"platform","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/platform?post=20898"},{"taxonomy":"san_pham","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/san_pham?post=20898"},{"taxonomy":"the_goc_nhin_so","embeddable":true,"href":"https:\/\/fpt-is.com\/en\/wp-json\/wp\/v2\/the_goc_nhin_so?post=20898"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}