Multi-year exploitation of Windows zero-day conducted by state-backed hackers

Attacks leveraging a newly discovered Windows shortcut zero-day vulnerability have been conducted by almost a dozen state-sponsored threat operations, including Mustang Panda, Kimsuky, Evil Corp, and SideWinder, as part of their cyberespionage and financially motivated campaigns worldwide since 2017, reports BleepingComputer.

Organizations in the Americas, Europe, East Asia, and Australia have been mainly targeted by intrusions involving the flaw, tracked ZDI-CAN-25373, which could be exploited to enable arbitrary code execution on vulnerable Windows systems, according to an analysis from Trend Micro Zero Day Initiative researchers.

Malicious command-line arguments are being concealed in .LNK shortcut files to abuse the security bug, which stems from a User Interface Misrepresentation of Critical Information issue, researchers said.

"Crafted data in an .LNK file can cause hazardous content in the file to be invisible to a user who inspects the file via the Windows-provided user interface. An attacker can leverage this vulnerability to execute code in the context of the current user," noted Trend Micro.

Microsoft has already acknowledged the vulnerability, with a fix already under consideration.