Critical Windows Flaws Under Active Exploitation in Global Attacks
Table of Contents
A pair of significant Windows vulnerabilities – including a zero-day exploited since 2017 – are being actively targeted in widespread attacks impacting systems across the globe, security researchers warn. The ongoing exploitation underscores the persistent threat posed by sophisticated attackers and the challenges of maintaining robust cybersecurity defenses.
A zero-day vulnerability, by definition, is a flaw unknown to the vendor, leaving systems exposed until a patch can be developed and deployed. This particular zero-day remained undetected until March, when Trend Micro reported it had been exploited for years by as many as 11 distinct advanced persistent threat (APT) groups. These groups, often linked to nation-states, focus on targeted attacks against specific individuals or organizations. According to Trend Micro, the vulnerability – initially tracked as ZDI-CAN-25373 – has been used to install malicious software on infrastructure in nearly 60 countries, with the United States, Canada, Russia, and Korea being the most frequently affected.
Unpatched Vulnerability Remains a Risk
Despite being alerted to the issue, Microsoft has yet to release a patch for the underlying vulnerability, which resides within the Windows Shortcut binary format. This component is designed to streamline application access by allowing a single file to launch programs without requiring users to navigate through complex directory structures. The tracking designation for this flaw has recently been updated to CVE-2025-9491.
The delay in patching has created a window of opportunity for attackers. On Thursday, July 18, 2024, the security firm Arctic Wolf reported observing a China-aligned threat group, identified as UNC-6384, actively exploiting CVE-2025-9491 in attacks targeting multiple European nations. The attackers are deploying PlugX, a widely used remote access trojan (RAT), as their final payload.
Sophisticated Tactics to Evade Detection
To further conceal their malicious activity, the exploit utilizes encryption, keeping the binary file encoded in the RC4 format until the final stage of the attack. “The breadth of targeting across multiple European nations within a condensed timeframe suggests either a large-scale coordinated intelligence collection operation or deployment of multiple parallel operational teams with shared tooling but independent targeting,” Arctic Wolf stated in its report. “The consistency in tradecraft across disparate targets indicates centralized tool development and operational security standards even if execution is distributed across multiple teams.”
This level of coordination and sophistication suggests a well-resourced and strategically focused operation. The continued exploitation of these Windows vulnerabilities highlights the critical need for proactive threat detection, robust security practices, and swift patch deployment by both vendors and end-users alike.
