A critical vulnerability in Windows LNK files, designated ZDI-CAN-25373, has been exploited by cyberespionage groups globally for executing hidden commands. This vulnerability allows attackers to use whitespace padding to obscure malicious PowerShell scripts in shortcut files, posing a significant threat to data security.
Technical Exploit Details
Attackers utilize LNK files with diplomatic-themed names to remotely execute concealed PowerShell commands. These commands decode embedded TAR archives within the shortcut files, which contain three key components loaded via DLL sideloading. The components include a signed Canon utility (cnmpaui.exe), a malicious loader DLL (cnmpaui.dll), and an RC4-encrypted payload (cnmplog.dat), which constitutes a remote access trojan.
The DLL search order in Windows allows the signed executable to load the malicious DLL. The payload is decrypted using a hardcoded 16-byte RC4 key, enabling it to execute within a trusted process, even with an expired certificate timestamped as valid. The command-and-control infrastructure uses domains such as racineupci[.]org and dorareco[.]net.
Recommendations and Mitigations
Mitigation strategies include disabling automatic LNK file resolution, blocking known command-and-control domains at network edges, and monitoring execution of Canon utilities from unexpected directories. Enhanced surveillance is necessary for potential targets, including government and diplomatic entities, as this vulnerability remains unpatched by Microsoft as of 2025-10-31.
Security experts recommend proactive threat hunting and vigilant monitoring of LNK file activities to prevent exploitation and data leaks.
