Windows .lnk Zero-Day (ZDI-CAN-25373): 11 State-Sponsored Groups, 8 Years Unpatched — How SMBs Can Defend Now

---

What Is the Windows .lnk Zero-Day Vulnerability (ZDI-CAN-25373)?

ZDI-CAN-25373 is a user interface misrepresentation vulnerability (classified as CWE-451) in how Windows displays shortcut (.lnk) files. Discovered by Trend Micro Zero Day Initiative researchers Peter Girnus and Aliakbar Zahravi, the flaw allows attackers to craft .lnk files that contain hidden malicious command-line arguments [1][2].​‌‌‌​‌‌‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​‌​​‍​‌‌​‌‌‌‌‍​‌‌‌​‌‌‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​‌‌​​‍​‌‌​‌‌‌​‍​‌‌​‌​‌‌‍​​‌​‌‌​‌‍​‌‌‌‌​‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌‌‌‌‍​​‌​‌‌​‌‍​‌‌​​‌​​‍​‌‌​​​​‌‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​​​‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌​‍​‌‌‌​​‌‌‍​‌‌​‌‌‌‌‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌​​‌​​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌

‌​​‌​​‍​‌‌​​‌​‌‍​‌‌​​‌‌​‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌‌​​‌‌‍​‌‌​​‌​‌

The technique is deceptively simple. Attackers pad the command-line arguments within a .lnk file with whitespace characters — specifically Space (0x20), Horizontal Tab (0x09), Line Feed (0x0A), and Non-Breaking Space (0xA0). These characters push the actual malicious payload far beyond what Windows displays in the shortcut's properties dialog. When a user right-clicks a .lnk file and inspects its target field, they see what appears to be a harmless path. The real commands — downloading malware, establishing backdoors, exfiltrating data — sit invisibly beyond the visible area [2][4].

According to Trend Micro, the vulnerability was submitted to Microsoft in September 2024 and publicly disclosed on March 18, 2025 [1]. Despite evidence of active exploitation spanning eight years, Microsoft responded that the issue "does not meet the bar for immediate servicing" [3][7]. As of March 2026, no CVE has been assigned, and no official patch exists.​‌‌‌​‌‌‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​‌​​‍​‌‌​‌‌‌‌‍​‌‌‌​‌‌‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​‌‌​​‍​‌‌​‌‌‌​‍​‌‌​‌​‌‌‍​​‌​‌‌​‌‍​‌‌‌‌​‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌‌‌‌‍​​‌​‌‌​‌‍​‌‌​​‌​​‍​‌‌​​​​‌‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​​​​‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌​‍​‌‌‌​​‌‌‍​‌‌​‌‌‌‌‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌​​‌​​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​‌‌​​‌‌​‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌‌​​‌‌‍​‌‌​​‌​‌

Which State-Sponsored Groups Are Exploiting This Flaw?

The scope of exploitation is extraordinary. According to Trend Micro's research, 11 state-sponsored threat groups from four countries have independently weaponized this vulnerability [1][5]:

North Korea: Kimsuky (APT-43), ScarCruft (APT-37), Lazarus Group, and InkySquid have all leveraged malicious .lnk files. These groups are responsible for both espionage campaigns and financially motivated attacks, including cryptocurrency theft operations [1][6].

Russia: Evil Corp and APT-29 (Cozy Bear) — the latter famously linked to the SolarWinds compromise — have used the technique in targeted operations against government and defense entities [3][9].

Iran: APT-34 (OilRig) has deployed .lnk-based attacks targeting energy and telecommunications sectors, consistent with Iran's broader cyber-espionage objectives [5][12].

China: Mustang Panda, Bitter (APT-T-17), and ConeyBug have exploited the flaw in campaigns against government institutions and think tanks across Southeast Asia and beyond [1][8].

Additional groups including BrazenBamboo and Water Gamayun (also known as EncryptHub) round out the list of known exploiters [1][6].

According to SC World, researchers identified nearly 1,000 malicious .lnk samples leveraging this technique [8]. According to Trend Micro, approximately 70% of attacks using this vulnerability were aimed at espionage and intelligence gathering, while roughly 20% targeted financial gain [1].

Why Did Microsoft Refuse to Patch ZDI-CAN-25373?

Microsoft's decision not to issue an immediate security update has drawn sharp criticism from the security community. According to BleepingComputer, Microsoft classified the vulnerability as not meeting the severity threshold for urgent servicing, characterizing it as a UI issue rather than a security boundary violation [3].

According to Ars Technica, this classification is controversial because the exploit effectively bypasses user inspection — one of the fundamental trust mechanisms Windows users rely on to evaluate shortcuts before executing them [7]. Security researchers argue that when a UI element is specifically designed to let users verify what a file does, hiding malicious content from that UI constitutes a meaningful security failure [4][9].

For SMB owners, the practical takeaway is clear: you cannot rely on Microsoft to close this gap in the near term. Protecting your business means implementing layered defenses independently, which is achievable with the right approach.

Who Is Being Targeted — and Are Small Businesses at Risk?

Primary targets identified in Trend Micro's research include government agencies, defense contractors, financial institutions, telecommunications providers, energy companies, and think tanks [1][5]. These are the direct targets of state-sponsored espionage.

Small and mid-size businesses should not dismiss this threat. Supply chain attacks routinely use smaller vendors as entry points into larger targets. According to CyberScoop, state-backed groups frequently compromise third-party suppliers and service providers as stepping stones [9]. If your business provides services to any organization in the targeted sectors — IT support, consulting, logistics, staffing — you represent a viable attack path.

The financial theft component is also significant. According to Trend Micro, 20% of observed attacks were financially motivated [1]. Lazarus Group alone has stolen billions in cryptocurrency and conducted destructive attacks against financial institutions of all sizes [6][12].

How Does the .lnk Whitespace Exploit Actually Work?

Understanding the mechanics helps inform defense. A standard Windows .lnk shortcut file contains a target path and optional command-line arguments. When a user inspects a shortcut's properties, Windows displays the target field in a fixed-width text box [2].

Attackers construct .lnk files where the target field begins with a legitimate-looking path — for example, C:\Windows\System32\cmd.exe. They then insert hundreds or thousands of whitespace characters (spaces, tabs, line feeds, non-breaking spaces) before appending the actual malicious commands. The Windows properties dialog only displays the first portion of the target field. The malicious payload exists in the arguments but remains completely invisible to manual inspection [2][4].

When the user double-clicks the shortcut, Windows executes the entire command line — including the hidden malicious portion. This can trigger PowerShell scripts, download remote payloads, establish persistence mechanisms, or execute arbitrary code [1][10].

The elegance of this technique explains its longevity. It requires no memory corruption, no privilege escalation exploit, and no sophisticated toolchain. It exploits a fundamental gap between what Windows shows users and what Windows actually executes [7].

What Concrete Steps Can SMBs Take to Defend Against .lnk Attacks?

Defending against this vulnerability does not require enterprise-scale budgets. These mitigations are practical and effective for small and mid-size businesses [4][10]:

1. Block .lnk files at email gateways. Configure your email security solution (Microsoft Defender for Office 365, Proofpoint, Mimecast, or equivalent) to strip or quarantine .lnk file attachments. There is almost never a legitimate reason to email a Windows shortcut file [4].

2. Deploy endpoint detection and response (EDR). Modern EDR solutions detect suspicious process chains — such as a .lnk file spawning PowerShell or cmd.exe with obfuscated arguments — regardless of how the .lnk file is constructed. Solutions like Microsoft Defender for Endpoint, SentinelOne, and CrowdStrike all provide behavioral detection capabilities [10].

3. Enable Smart App Control and Windows Defender Application Control (WDAC). Smart App Control (available in Windows 11) blocks untrusted applications and scripts. WDAC policies can prevent execution of unsigned or untrusted code launched from shortcuts [4].

4. Restrict .lnk execution via Group Policy. Use Software Restriction Policies or AppLocker rules to limit which applications can be launched via shortcut files, particularly from user-writable directories like Downloads and Temp folders [10].

5. Implement YARA rules for .lnk analysis. Security teams can deploy YARA rules that detect .lnk files containing excessive whitespace padding in their command-line arguments. Trend Micro has published indicators of compromise and detection signatures [1][2].

6. Train staff on shortcut file risks. Users should understand that .lnk files received via email, USB drives, or cloud sharing links can be weaponized. Encourage a policy of verifying unexpected shortcuts with the sender through a separate communication channel [3].

7. Monitor for anomalous process execution. Alert on scenarios where explorer.exe or shortcut-handler processes spawn command interpreters (cmd.exe, powershell.exe, wscript.exe) with unusually long or padded command-line arguments [2].

These layered defenses transform security from a cost center into a competitive advantage. Businesses that demonstrate strong security posture win contracts, retain customer trust, and avoid the operational disruption that follows a breach.

Frequently Asked Questions

References

[1] P. Girnus and A. Zahravi, "Trend Analysis: Windows Shortcut Zero-Day Exploit," Trend Micro Research, Mar. 18, 2025. [Online]. Available: https://www.trendmicro.com/en_us/research/25/c/windows-shortcut-zero-day-exploit.html

[2] Zero Day Initiative, "Abusing Windows .LNK Files," ZDI Blog, Mar. 18, 2025. [Online]. Available: https://www.zerodayinitiative.com/blog/2025/3/18/abusing-windows-lnk-files

[3] B. Toulas, "New Windows zero-day exploited by 11 state hacking groups since 2017," BleepingComputer, Mar. 18, 2025. [Online]. Available: https://www.bleepingcomputer.com/news/security/new-windows-zero-day-exploited-by-11-state-hacking-groups-since-2017/

[4] R. Lakshmanan, "Unpatched Windows Zero-Day Flaw Exploited by 11 State-Sponsored Threat Groups Since 2017," The Hacker News, Mar. 18, 2025. [Online]. Available: https://thehackernews.com/2025/03/unpatched-windows-zero-day-flaw.html

[5] N. Nelson, "11 State-Sponsored Groups Exploiting Windows Shortcut Flaw," Dark Reading, Mar. 18, 2025. [Online]. Available: https://www.darkreading.com/vulnerabilities-threats/11-state-sponsored-groups-exploiting-windows-shortcut-flaw

[6] E. Kovacs, "11 State-Sponsored Threat Groups Exploit Unpatched Windows Flaw," SecurityWeek, Mar. 18, 2025. [Online]. Available: https://www.securityweek.com/11-state-sponsored-threat-groups-exploit-unpatched-windows-flaw/

[7] D. Goodin, "Windows shortcut flaw exploited by state hackers from China, Iran, North Korea, Russia," Ars Technica, Mar. 18, 2025. [Online]. Available: https://arstechnica.com/security/2025/03/windows-shortcut-flaw-exploited-by-state-hackers-from-china-iran-north-korea-russia/

[8] SC World, "Nearly 1,000 malicious .lnk files leveraged by state-backed hackers to exploit Windows zero-day," SC World, Mar. 18, 2025. [Online]. Available: https://www.scworld.com/news/nearly-1000-malicious-lnk-files-leveraged-by-state-backed-hackers-to-exploit-windows-zero-day

[9] CyberScoop, "11 nation-state groups exploit unpatched Microsoft zero-day," CyberScoop, Mar. 18, 2025. [Online]. Available: https://cyberscoop.com/11-nation-state-groups-exploit-unpatched-microsoft-zero-day/

[10] Help Net Security, "Windows shortcut exploit ZDI-CAN-25373," Help Net Security, Mar. 18, 2025. [Online]. Available: https://www.helpnetsecurity.com/2025/03/18/windows-shortcut-exploit-zdi-can-25373/

[11] A. Sherr, "This Windows shortcut flaw has been exploited by state-backed hackers for 8 years — and Microsoft still hasn't fixed it," Tom's Guide, Mar. 18, 2025. [Online]. Available: https://www.tomsguide.com/computing/online-security/this-windows-shortcut-flaw-has-been-exploited-by-state-backed-hackers-for-8-years-and-microsoft-still-hasnt-fixed-it

[12] CSO Online, "11 nation-state backed groups have been exploiting a Windows shortcut flaw since 2017," CSO Online, Mar. 18, 2025. [Online]. Available: https://www.csoonline.com/article/3849539/11-nation-state-backed-groups-have-been-exploiting-a-windows-shortcut-flaw-since-2017.html

---

Building resilient security doesn't have to be overwhelming. Whether you need help auditing your endpoint defenses, configuring email gateway policies, or developing a practical security roadmap for your business, schedule a consultation with our team. We help small and mid-size businesses protect what they've built — with clear, actionable strategies that match your budget and risk profile.