An unpatched Windows zero-day flaw has been exploited by 11 nation-state attackers

(Image credit: Avast)

Trend Micro warns of an old Windows zero-day still in use today
Many nation-states are abusing the bug to run espionage campaigns
Microsoft doesn't deem it critical

A Windows zero-day vulnerability which has remained unpatched for eight years has been exploited by 11 nation-state attackers, and countless financially motivated groups, experts have warned.

Trend Micro’s Zero Day Initiative (ZDI) criticized Microsoft for downplaying the importance of the findings into the vulnerability, tracked as ZDI-CAN-25373, which is a flaw in Windows that allows attackers to craft malicious shortcut (.lnk) files, enabling the execution of hidden commands when a user interacts with these files.

This exploit can be abused by embedding harmful code within the .lnk file, which the victim then unknowingly runs when opening the shortcut. The vulnerability was used in data theft attacks, espionage, and malware distribution.

"Very detailed information"

The researchers said the bug has been in use since 2017, and that they found some 1,000 weaponized .LNK files recently. The total number, obviously, is much bigger.

After sifting through the files, ZDI said the majority came from nation-state actors (70%), and were used in espionage or data theft. Of that number, almost half (46%) were built by North Korean actors, followed by Russia, Iran, and China, with roughly 18% each. The rest fell to financially motivated groups.

That being said, most victims are government agencies, followed by firms in the private sector, financial organizations, think tanks, and telecommunications firms.

The researchers also slammed Microsoft for allegedly downplaying the issue: "We told Microsoft but they consider it a UI issue, not a security issue. So it doesn't meet their bar for servicing as a security update, but it might be fixed in a later OS version, or something along those lines,” Dustin Childs, head of threat awareness at the Zero Day Initiative, told The Register.

"We consider that a security thing. Again, not a critical security thing, but certainly worth addressing through a security update," Childs opined.

Microsoft seems to agree, at least about the “not critical” part. A spokesperson told The Register: "While the UI experience described in the report does not meet the bar for immediate servicing under our severity classification guidelines, we will consider addressing it in a future feature release."

Windows PCs targeted by dangerous new threat that even gets around Defender - and even though there's a fix, you could still be at risk
We've rounded up the best password managers
Take a look at our guide to the best authenticator app

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.