"Two Windows vulnerabilities-one a zero-day that has been known to attackers since 2017 and the other a critical flaw that Microsoft initially tried and failed to patch recently-are under active exploitation in widespread attacks targeting a swath of the Internet, researchers say. The zero-day went undiscovered until March, when security firm Trend Micro said it had been under active exploitation since 2017, by as many as 11 separate advanced persistent threats (APTs)."
"On Thursday, security firm Arctic Wolf reported that it observed a China-aligned threat group, tracked as UNC-6384, exploiting CVE-2025-9491 in attacks against various European nations. The final payload is a widely used remote access trojan known as PlugX. To better conceal the malware, the exploit keeps the binary file encrypted in the RC4 format until the final step in the attack."
"Seven months later, Microsoft still hasn't patched the vulnerability, which stems from a bug in the Windows Shortcut binary format. The Windows component makes opening apps or accessing files easier and faster by allowing a single binary file to invoke them without having to navigate to their locations. In recent months, the ZDI-CAN-25373 tracking designation has been changed to CVE-2025-9491."
Two distinct Windows flaws are being actively exploited across the Internet: a long-running zero-day used since 2017 and a recently unpatched critical vulnerability. The zero-day, tracked as ZDI-CAN-25373 and now CVE-2025-9491, has been exploited by up to 11 separate APT groups to install post-exploitation payloads on infrastructure in nearly 60 countries, with notable activity in the US, Canada, Russia, and Korea. The vulnerability stems from a bug in the Windows Shortcut binary format that remains unpatched. Arctic Wolf observed a China-aligned group, UNC-6384, using the flaw to deliver the PlugX remote access trojan, with the binary kept RC4-encrypted until final execution. The targeting breadth suggests coordinated intelligence collection or multiple parallel teams sharing tooling.
Read at Ars Technica
Unable to calculate read time
Collection
[
|
...
]