Two Windows vulnerabilities — one a zero-day that has been known to attackers since 2017 and the other a critical flaw that Microsoft initially tried and recently failed to patch — are being actively exploited in widespread attacks that target a portion of the Internet, researchers say.
The zero-day remained undiscovered until March, when security firm Trend Micro said it had been actively exploited by as many as eleven separate advanced persistent threats (APTs) since 2017. These APT groups, often with ties to nation states, ruthlessly attack specific individuals or interest groups. Trend Micro further said that the groups exploited the vulnerability, which was subsequently tracked as ZDI-CAN-25373, to install several known post-exploitation payloads on infrastructure in nearly 60 countries, with the US, Canada, Russia and Korea being the most common.
A large-scale, coordinated operation
Seven months later, Microsoft has still not fixed the vulnerability, which stems from a bug in the Windows Shortcut binary format. The Windows component makes opening apps or opening files easier and faster by allowing a single binary file to call them up without having to navigate to their locations. In recent months, the tracking designation ZDI-CAN-25373 has been changed to CVE-2025-9491.
On Thursday, security firm Arctic Wolf reported that it had spotted a China-linked threat group, tracked as UNC-6384, exploiting CVE-2025-9491 in attacks on several European countries. The final payload is a common remote access trojan known as PlugX. To better conceal the malware, the exploit keeps the binary encrypted in the RC4 format until the final step of the attack.
“The scope of targeting of multiple European countries within a reduced time frame suggests either a large-scale coordinated intelligence collection operation or the deployment of multiple parallel operational teams with shared tools but independent targeting,” Arctic Wolf said. “The consistency in trading across disparate targets indicates centralized tool development and operational safety standards, even when execution is distributed across multiple teams.”
