Some North Korean threat actors, such as Earth Manticore (APT37) and Earth Imp (Konni), have been using extremely large .lnk files – with sizes up to 70.1 MB – containing excessive whitespace and junk content to further evade detection. The vulnerability, tracked as ZDI-CAN-25373, allows attackers to execute hidden malicious commands on victims’ machines by leveraging specially crafted Windows shortcut (.lnk) files. Their analysis revealed that 11 state-sponsored groups from North Korea, Iran, Russia, and China have been actively using this technique primarily for espionage and data theft operations. A critical Windows vulnerability that has been exploited since 2017 by state-sponsored threat actors has been uncovered recently by researchers. Organizations are advised to implement proper security controls and remain vigilant against suspicious shortcut files to protect against this persistent threat. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. This exploitation technique has been adopted widely by sophisticated threat actors for cyber espionage operations. Attackers use Space (0x20), Horizontal Tab (0x09), Line Feed (0x0A), and Carriage Return (0x0D) characters to hide malicious commands from users viewing the file properties. This security flaw impacts how Windows displays the contents of shortcut files through its user interface. North Korea is the most active exploiter of this vulnerability, accounting for nearly half of the state-sponsored actors leveraging the technique. Trend Micro researchers noted nearly 1,000 malicious .lnk files exploit this vulnerability across various campaigns. When users inspect a compromised .lnk file, Windows fails to display the malicious commands hidden within, effectively hiding the true danger of the file.
This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 18 Mar 2025 17:35:23 +0000