New research has uncovered that advanced persistent threat (APT) groups from North Korea, Iran, Russia, and China are actively exploiting a Windows shortcut vulnerability to carry out stealthy cyberattacks. According to Trend Micro’s Zero Day Initiative (ZDI), this flaw allows attackers to execute malicious commands on victims’ devices using deceptive Windows shortcut files.
Security researchers Peter Girnus and Aliakbar Zahravi revealed in their March 18 blog post that at least 11 state-backed hacking groups have been abusing this vulnerability, tracked as ZDI-CAN-25373. By manipulating crafted .lnk shortcut files, these attackers gain remote code execution capabilities without raising suspicion.
Trend Micro noted that this zero-day flaw has primarily been used for cyber espionage and data theft. These operations stretch back as far as 2017, with targets spanning government agencies, financial institutions, telecom providers, military groups, and energy companies. Victims have been identified across North America, Europe, Asia, South America, and Australia.
How the Windows Shortcut Vulnerability Enables Stealth Attacks
The core issue lies in the way Windows processes .lnk files within its user interface. Known as Shell Link files, .lnk shortcuts typically help users quickly access apps, folders, or files. However, attackers exploit this system by embedding malicious code within the shortcut’s target field — all while ensuring it remains invisible to victims.
What makes this flaw particularly dangerous is its subtlety. Attackers use vast amounts of white space to hide the malicious payload deep within the file, making it impossible for standard Windows tools to display the embedded threat. To reveal this hidden code, victims would need specialized tools like a hex editor — something most users are unlikely to have or use.
Researchers discovered that while .lnk files are usually lightweight, APT groups manipulated this attack vector by creating shortcut files over 70MB in size. These oversized files help bury malicious commands even deeper, further evading detection.
For the exploit to work, attackers first need to deliver the booby-trapped .lnk file directly to the target’s desktop — often through phishing emails or file-sharing platforms. Once there, they rely on misleading icons and filenames to trick users into clicking. If opened, the file executes malicious code, giving attackers a foothold into the system. Researchers classify this issue as a case of UI misrepresentation (CWE-451), where Windows fails to display critical security information, leaving users blind to the danger.
Despite the serious risks, Microsoft has chosen not to prioritize an immediate fix. The company categorized the flaw as “low severity,” stating it doesn’t meet the threshold for urgent patching.
In a statement to Dark Reading, a Microsoft spokesperson assured that Microsoft Defender can detect and block such threats. Additionally, Windows Smart App Control prevents malicious files from executing if they originate from the internet.
“We appreciate ZDI’s efforts in responsibly disclosing this issue. As always, we urge users to exercise caution when handling files from unfamiliar sources,” the spokesperson added. “Even though this issue does not qualify for immediate servicing, it will be considered for future updates.”
Microsoft also clarified that opening .lnk files downloaded online triggers a security warning, urging users to stop and reconsider. The company downplayed the practicality of this exploit, claiming most users don’t inspect file properties where the malicious code is hidden.
Still, some experts argue this approach is risky given the threat’s scale. ZDI’s Dustin Childs commented that while fixing the flaw poses challenges, Microsoft’s response doesn’t align with its ambitious Secure Future Initiative.
“It’s not ideal, especially since nation-state hackers have been exploiting this for years,” Childs said. “This should serve as enough motivation for Microsoft to rethink its stance.”
For now, the best defense remains caution. Organizations are urged to strengthen their security protocols and educate employees on the risks of interacting with unknown files — especially shortcut files that could be silently hiding malicious commands.
