Zero-Day Vulnerability in Windows Shortcuts

In March 2025, a critical vulnerability in Microsoft Windows became publicly known: ZDI-CAN-25373 affects .lnk files – also known as Windows shortcuts. The identifier was assigned by the Zero Day Initiative (ZDI), a program dedicated to reporting and coordinating security vulnerabilities.

Due to a discrepancy between the official Microsoft specification (MS-SHLLINK v8.0) and its actual implementation in Windows Explorer, .lnk files can be manipulated in such a way that invisible shell commands are executed when opened – without any user interaction.

Technical Details on the .lnk Vulnerability

The flawed parsing behavior allows attackers to conceal shell commands by inserting numerous spaces into the argument field. These commands remain invisible in Windows Explorer but are silently executed when the shortcut is opened – making them ideal for espionage, data theft, or persistent malware installation.

Particularly critical: Exploiting the vulnerability does not require admin privileges or advanced exploits. It works by simply placing manipulated .lnk files on the system – for example, in ZIP archives, on network drives, or USB sticks – which makes it especially dangerous. Detection is also difficult with traditional antivirus solutions, as .lnk files are not inherently considered malicious..

In the Wild: XDigo Campaign by APT Group XDSpy

The first publicly documented exploitation of this vulnerability was observed by IKARUS partner HarfangLab. The group XDSpy, active for over a decade, is using a new implant called XDigo in a recent espionage campaign.

The infection chain includes:

1. An initial ZIP archive containing a second, embedded ZIP file
2. A decoy PDF, a legitimate but renamed executable (EXE), and a malicious DLL
3. DLL sideloading via the EXE → launching ETDownloader
4. XDigo, a Go-based implant, is downloaded and installed for data collection and persistence

The campaign primarily targets government agencies in Eastern Europe, with a particular focus on Moldova and Russia.

Detecting and Preventing Attacks via .lnk Files

Since Microsoft has not released a patch, proactive mitigation measures on the organizational side are essential:

• Block .lnk files from untrusted sources at email gateways (e.g., using the attachment filter in IKARUS mail.security)
• Prevent execution of .lnk files from external media (USB drives, network shares) via Group Policies or Software Restriction Policies (SRP)
• Educate users about the risks of Windows shortcuts embedded in ZIP archives
• Configure your EDR/EPP systems (e.g., HarfangLab Guard feat.IKARUS) with behavioral rules (e.g., alerting on cmd.exe or powershell.exe launched via .lnk)
• Perform threat hunting focused on .lnk files with suspicious or irregular argument structures
• Use YARA rules and IOCs to identify artifacts related to the XDigo malware

A detailed technical analysis along with matching Indicators of Compromise (IOCs) and YARA rules is available here: https://harfanglab.io/insidethelab/sadfuture-xdspy-latest-evolution.

Recommended Articles:

Detecting Living Off the Land attacks in corporate networks

Information Disclosure Vulnerabilities: How to Effectively Prevent Data Leaks

Sources:
https://thehackernews.com/2025/06/xdigo-malware-exploits-windows-lnk-flaw.html
https://harfanglab.io/insidethelab/sadfuture-xdspy-latest-evolution