Two vulnerabilities in Windows—one being a zero-day that has been on attackers’ radar since 2017, and the other a serious flaw that Microsoft recently attempted but failed to fix—are currently being exploited in extensive attacks affecting a range of the Internet, according to researchers.
The zero-day remained undiscovered until March, when the security company Trend Micro reported it had been actively exploited since 2017 by at least 11 distinct advanced persistent threat (APT) groups. These APT groups, often linked to nation-states, persistently attack particular individuals or groups of significance. Trend Micro further indicated that the groups were leveraging the vulnerability, previously referred to as ZDI-CAN-25373, to deploy various known post-exploitation payloads on setups located in almost 60 countries, with the US, Canada, Russia, and Korea being the most frequently targeted.
A large-scale, coordinated operation
Seven months afterward, Microsoft has yet to address the vulnerability, which originates from a flaw in the Windows Shortcut binary format. This Windows component simplifies the process of opening applications or accessing files by allowing a single binary file to invoke them without navigating to their specific locations. In recent times, the designation ZDI-CAN-25373 has been updated to CVE-2025-9491.
On Thursday, security company Arctic Wolf reported observing a China-aligned threat group, identified as UNC-6384, exploiting CVE-2025-9491 in attacks aimed at various European nations. The ultimate payload is a commonly used remote access trojan known as PlugX. To better hide the malware, the exploit keeps the binary file encrypted in the RC4 format until the final phase of the attack.
“The wide-ranging targeting across numerous European nations within a short timeframe implies either a large-scale coordinated intelligence collection effort or the deployment of multiple parallel operational teams using shared tools but targeting independently,” Arctic Wolf stated. “The consistency in tradecraft across diverse targets suggests centralized tool development and operational security protocols even if execution is spread across multiple teams.”
