Two Windows vulnerabilities—one a zero-day known to attackers since 2017, and the other a critical bug that Microsoft initially tried to fix but failed to fix recently—are being actively exploited in widespread attacks targeting the entire Internet, researchers say.
Zero Day remained undetected until Marchwhen security company Trend Micro said it had been actively exploited by as many as 11 separate advanced persistent threats (APTs) since 2017. These APT groups, often with ties to nation states, relentlessly target specific individuals or interest groups. Trend Micro further reported that groups exploited the vulnerability, then tracked as ZDI-CAN-25373, to install various known post-exploitation payloads into infrastructure located in nearly 60 countries, the most common being the United States, Canada, Russia and Korea.
Large-scale and coordinated operation
Seven months later, Microsoft still has not fixed the vulnerability caused by a bug in Windows shortcut binary format. The Windows feature makes it easier and faster to open applications or access files by allowing you to access them using a single binary file without having to navigate to their location. In recent months, the tracking designation of ZDI-CAN-25373 has been changed to CVE-2025-9491.
On Thursday, security firm Arctic Wolf said it had spotted a China-linked threat group tracked as UNC-6384 using CVE-2025-9491 in attacks on various European countries. The latest payload is a widely used remote access Trojan known as PlugX. To better hide the malware, the exploit keeps the binary file encrypted in RC4 format until the last stage of the attack.
“The breadth of attacks on multiple European countries in a compressed time frame suggests either a large-scale coordinated intelligence-gathering operation or the deployment of multiple parallel task forces with common tools but independent objectives,” Arctic Wolf said. “Consistency across disparate goals points to centralized tool development and operational security standards, even when execution is distributed across multiple teams.”
