Nation-state actors and cybercrime gangs abuse malicious .lnk files for espionage and data theft

11 state-sponsored APTs exploit malicious .lnk files for espionage and data theft, with ZDI uncovering 1,000 such files used in attacks.

At least 11 state-sponsored threat groups have been abusing Windows shortcut files for espionage and data theft, according to an analysis by Trend Micro’s Zero Day Initiative (ZDI).

Trend ZDI researchers discovered 1,000 malicious .lnk files used by nation-state actors and cybercrime groups to execute hidden malicious commands on a victim’s machine by exploiting the vulnerability ZDI-CAN-25373.

Since 2017, the vulnerability has been exploited by APT groups from North Korea, Iran, Russia, and China. The attacks carried out by the threat actors aimed at organizations across the government, financial, telecommunications, military, and energy sectors in North America, Europe, Asia, South America, and Australia. Nearly half of the threat actors exploiting ZDI-CAN-25373 are from North Korea (45,5%), with 70% focused on espionage and 20% on financial gain, often interlinked.

malicious .lnk files

The researchers notified Microsoft that has yet to address the zero-day.

“We discovered nearly a thousand Shell Link (.lnk) samples that exploit ZDI-CAN-25373; however, it is probable that the total number of exploitation attempts are much higher. Subsequently, we submitted a proof-of-concept exploit through Trend ZDI’s bug bounty program to Microsoft, who declined to address this vulnerability with a security patch.” reads the report published by ZDI.

Analysis of ZDI-CAN-25373 exploits reveals they were used to deliver diverse malware payloads, including MaaS and commodity malware. Water Asena (Evil Corp) leveraged it in Raspberry Robin campaigns. Some proof-of-concept samples suggest use in attack chain development. Trend Micro telemetry helped correlate recovered payloads, highlighting widespread abuse across various threat campaigns.

ZDI-CAN-25373 exploits how Windows handles .lnk files, enabling attackers to embed malicious commands in shortcuts. Victims see no obvious threat in the UI. The .lnk file format allows embedding command-line arguments, which can execute malicious payloads. Threat actors also manipulate icons and filenames (e.g., “document.pdf.lnk”) to trick users into opening them.

Threat actors exploit ZDI-CAN-25373 by padding .lnk files with whitespace, hiding malicious commands in Windows UI. This prevents users from seeing executed arguments. The researchers noticed that some North Korean APTs, like Earth Manticore and Earth Imp, use oversized .lnk files (up to 70MB) to evade detection. This UI misrepresentation flaw (CWE-451) stops users from assessing file risks, aiding stealthy cyberattacks.

“Among the 11 state-sponsored APT groups leveraging ZDI-CAN-25373, a majority have a documented history of exploiting zero-day vulnerabilities in attacks in the wild. These vulnerabilities present substantial risks, as they target flaws that remain unknown to software vendors and lack corresponding security patches, thereby leaving governments and organizations vulnerable to exploitation.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, malicious .lnk files)