A stealthy threat hiding in plain sight has become a weapon of choice for some of the most dangerous nation-state hackers on the planet — and Microsoft’s response is raising eyebrows.
According to cybersecurity analysts at the Zero Day Initiative (ZDI), a critical and long-standing vulnerability in Microsoft Windows is being actively exploited by hacking groups tied to North Korea, China, Russia, and Iran. This bug, which affects Windows shortcut files (.lnk), has been traced back as far as 2017, yet remains unpatched by Microsoft.
ZDI has dubbed the flaw ZDI-CAN-25373, and while it hasn’t been assigned an official CVE designation, its implications are deeply concerning. The vulnerability stems from how Windows renders the contents of shortcut (shell link) files — a common system feature that can be manipulated with alarming precision.
A Perfect Disguise for Cyber Espionage
Malicious .lnk files have become a favored infiltration method for state-sponsored cyber actors. The danger lies in their invisibility: victims see only a familiar icon — sometimes styled to appear as a PDF or other harmless document — and never the true file extension, thanks to Windows’ default behavior of hiding it.
“Hackers often modify the shortcut’s icon to resemble safe files and append misleading extensions like .pdf.lnk,” ZDI researchers explained. “The typical shortcut arrow is retained, but the file appears authentic enough to fool even experienced users.”
Behind that click? Surveillance, data theft, or malware deployment — and once it starts, most victims never know what hit them.
Almost 1,000 Known Samples — And Rising
ZDI’s hunt uncovered nearly 1,000 distinct samples exploiting this bug. And they estimate the actual number of deployments to be far higher, especially considering the extensive use across 11 state-aligned hacking collectives.
These include some of the most notorious cyber units in operation today: North Korea’s Kimsuky and APT37, Russian espionage crews, Chinese cyber forces, and groups linked to the Iranian state. Even the Russian-linked cybercriminal gang Evil Corp has leveraged the vulnerability to spread the Raspberry Robin malware.
More than 70% of observed attacks were aimed at espionage, information gathering, or surveillance. Financially motivated campaigns accounted for just 20% — underscoring the geopolitical nature of this threat.
U.S. in the Crosshairs
ZDI’s data shows the majority of victims — over 300 — are based in the United States, with other targets located in Canada, Brazil, South Korea, Vietnam, and even Russia. These campaigns focus on sensitive verticals like government agencies, defense contractors, telecommunications, cryptocurrency platforms, and think tanks — precisely the sectors where a quiet breach could yield long-term strategic advantage.
Even more chilling is ZDI’s warning of cross-collaboration among North Korean cyber units. Tool sharing, tactic exchange, and operational alignment across groups like APT37 suggest an increasingly professionalized and unified digital offensive strategy.
Microsoft Shrugs It Off
Despite being handed a working proof-of-concept exploit, Microsoft has refused to issue a fix. The company classified the vulnerability as “low severity,” dismissing the urgency of the matter.
In statements to Recorded Future News, a Microsoft spokesperson emphasized that Defender and Smart App Control already detect and block these kinds of threats. But researchers argue that’s not enough — especially since these campaigns target users before those protections can react.
Even more frustrating: Microsoft’s own documentation acknowledges that shortcut files from the internet are risky. Users are warned not to open them — but that’s a far cry from patching the root problem.
Zero-Days and the Rise of Silent Warfare
ZDI sees this as part of a troubling trend: state-backed hackers exploiting zero-day vulnerabilities — bugs unknown to the public and unpatched by vendors — to infiltrate critical systems.
“These vulnerabilities present substantial risks,” the researchers warned, “as they target flaws that remain unknown to software vendors and lack corresponding security patches, thereby leaving governments and organizations vulnerable to exploitation.”
As global tensions escalate and digital espionage becomes a battlefield, groups with deep resources and state backing are investing more in these attacks. And when companies like Microsoft don’t respond with urgency, the risk compounds.
The writing is on the wall — or in this case, hidden behind a poisoned shortcut. And while Microsoft debates what qualifies as “severe,” the rest of the world remains exposed.
Help us bring real change! Corporate lobbying has corrupted our system for too long, and it’s time to take action. Please sign and share this petition—your support is crucial in restoring accountability to our government. Every signature counts! Thank you!
https://www.ipetitions.com/petition/restore-our-republic-end-lobbying
Support truth, health, and preparedness by shopping the Alex Jones Store through our link. Every purchase helps sustain independent voices and earns us a 10% share to fuel our mission. Shop now and make a difference!
https://thealexjonesstore.com?sca_ref=7730615.EU54Mw6oyLATer7a
Sponsored • TRJ Ads
Inquiries: contact@therealistjuggernaut.com
This is wild, John. I would think that Microsoft would want any and all bugs fixed. I don’t understand why they would allow this to continue.
Thanks for keeping us in the loop. It’s another sign that caution is thrown to the wind in many instances in our world today.
Exactly, Chris — you’d think a company like Microsoft would treat any vulnerability seriously, especially one being exploited by multiple state-backed groups. But when convenience, cost, or PR is prioritized over real security, this is what we get. You’re right — caution is too often replaced with silence. Appreciate you staying alert and tuned in. 😎