Recent reports from security researchers have revealed that two critical Windows vulnerabilities are currently being exploited in widespread cyber attacks across the globe. One of these vulnerabilities, known as a zero-day, has been targeted by attackers since 2017. Security firm Trend Micro discovered this zero-day in March, noting that it has been exploited by multiple advanced persistent threats (APTs) linked to nation-states. The attacks have targeted infrastructure in nearly 60 countries, with a focus on regions like the US, Canada, Russia, and Korea.
Despite the zero-day being known for several years, Microsoft has yet to release a patch for it. The vulnerability originates from a bug in the Windows Shortcut binary format, which facilitates quicker access to apps and files by enabling a single binary file to invoke them directly. The zero-day, identified as CVE-2025-9491, remains unpatched, leaving systems vulnerable to exploitation.
More recently, security firm Arctic Wolf reported that a threat group aligned with China, tracked as UNC-6384, has been leveraging the CVE-2025-9491 vulnerability to deploy the PlugX remote access trojan in attacks against European nations. The exploit method involves encrypting the malware using the RC4 format until the final stages of the attack, enhancing its concealment.
The coordinated nature of these attacks, targeting multiple European countries within a short timeframe, indicates a sophisticated and potentially large-scale intelligence collection operation or the deployment of several independent operational teams sharing similar tools and tactics.
Source: Ars Technica