Full Report
The Zero Day Initiative measured the prevalence of manipulated Windows shortcut files in campaigns attributed to nation-state hacking groups — finding at least 11 exploited a bug that allows malicious use of the files.
Analysis Summary
# Threat Actor: Various Nation-State Groups exploiting ZDI-CAN-25373
## Attribution & Identity
This analysis aggregates information spanning multiple nation-state threat actors primarily from **North Korea, China, Russia, and Iran**. The identified actors utilize a shared vulnerability (ZDI-CAN-25373) and exhibit indicators of **"cross-collaboration, technique, and tool sharing"** among some North Korean operations.
**Associated Groups Mentioned:** Kimsuky (DPRK), APT37 (DPRK), Evil Corp (quasi-criminal, affiliated with Russian intelligence).
## Activity Summary
Researchers at ZDI identified multiple campaigns exploiting a vulnerability in **Windows shortcut (.lnk) files (ZDI-CAN-25373)** dating back to 2017, affecting nearly a dozen state-sponsored groups. This vulnerability allows malicious content to be executed without the victim realizing the file is dangerous. Approximately 70% of the analyzed campaigns were aimed at espionage and information theft, while 20% were for financial gain. The groups are leveraging this flaw to conduct data theft and cyber espionage operations. Evil Corp was noted using this exploit to deploy the Raspberry Robin malware.
## Tactics, Techniques & Procedures
- Exploitation of a vulnerability in **Windows shortcut (.lnk) files (ZDI-CAN-25373)** related to how Windows displays shortcut contents.
- **Social Engineering/Deception:** Threat actors change the icon of the .lnk file and often append a "spoof" extension (e.g., `.pdf.lnk`) to trick users into executing the file.
- **Evasion Techniques (APT37):** Use of large .lnk files containing excessive whitespace or junk content to evade detection.
- Exploitation is often used as a method for initial malware deployment (e.g., Raspberry Robin deployment by Evil Corp).
## Targeting
- **Sectors:** Government entities, cryptocurrency-related firms, think tanks, telecommunications companies, and military/defense organizations.
- **Geography:** The vast majority of identified victims (>300) are based in the **U.S.** Dozens of other victims are spread across **Canada, Russia, South Korea, Vietnam, and Brazil.**
- **Victims:** Unspecified government entities and private sector firms across targeted industries.
## Tools & Infrastructure
- **Malware families used:** Raspberry Robin malware (deployed by Evil Corp).
- **Infrastructure (C2, domains, IPs):** Not explicitly detailed in the summary provided, beyond the utilization of the vulnerability itself.
## Implications
This widespread exploitation across multiple nation-states involving a long-standing, unpatched (by Microsoft's immediate action) flaw indicates a high-value target for initial access. The observed cross-collaboration, particularly within North Korea’s cyber program, suggests mature operational sharing. As geopolitical conflicts rise, the anticipated reliance on zero-day vulnerabilities that target fundamental OS features (like shortcut rendering) poses a substantial, persistent risk to critical industries globally.
## Mitigations
- **Defender Monitoring:** Microsoft Defender has detections in place to detect and block this type of threat activity.
- **Smart App Control:** Smart App Control can block malicious files downloaded from the Internet.
- **User Awareness:** Users should be cautious when opening .lnk files downloaded from the internet, as Windows typically issues a security warning for these files from unknown sources.
- **Icon and Extension Verification:** Security teams and users should be trained to recognize deceptive tactics, such as file icons conflicting with the actual file extension (e.g., an icon suggesting a PDF but ending in .lnk).