8-Year Old Windows Shortcut Zero-Day Exploited by 11 State-Sponsored Hacker Groups

Researchers (Trend Micro) report that a long-exploited Windows shortcut vulnerability (ZDI-CAN-25373) lets attackers hide and execute malicious commands by padding the COMMAND_LINE_ARGUMENTS in .lnk files with whitespace. The technique has been used since 2017 by at least 11 state-sponsored groups — notably North Korean actors — in espionage and data-theft campaigns, with nearly 1,000 malicious .lnk files observed across government, finance, telecommunications and other sectors; Microsoft classifies the issue as low severity and will not patch, so defenders are advised to hunt for suspicious .lnk files and apply mitigations.