Researchers have identified that two critical vulnerabilities in Windows operating systems are currently being exploited in widespread cyberattacks. One of these vulnerabilities is a zero-day flaw that has remained active since 2017, while the second is a significant bug that Microsoft has struggled to patch effectively.
The zero-day vulnerability was discovered in March 2023, when security firm Trend Micro revealed that it had been under exploitation by approximately 11 advanced persistent threat (APT) groups since its identification. These APTs, often linked to nation-states, typically target specific individuals or organizations they deem valuable. Trend Micro reported that these groups were utilizing the vulnerability, referred to as ZDI-CAN-25373, to deploy various known post-exploitation payloads across almost 60 countries, primarily in the United States, Canada, Russia, and South Korea.
Despite the identification of this serious flaw, Microsoft has not yet issued a patch, even after several months. This particular vulnerability is related to a bug in the Windows Shortcut binary format, which simplifies the process of launching applications and accessing files. Recently, the tracking designation for this vulnerability has been updated to CVE-2025-9491.
On Thursday, Arctic Wolf, a security firm, disclosed that it had detected a China-aligned threat group—designated as UNC-6384—exploiting CVE-2025-9491 in campaigns targeting multiple European nations. The final payload of these attacks involves a common remote access trojan known as PlugX. To enhance malware concealment, the exploit keeps the malicious binary file encrypted using RC4 until the final stage of the attack.
The extensive targeting across a range of European countries within a short timeframe indicates either a large-scale coordinated intelligence-gathering operation or the deployment of multiple operational teams working independently but utilizing shared tools. Arctic Wolf emphasized that the consistent techniques observed across disparate targets point to centralized development of tools and adherence to operational security standards, even if execution varies among different teams.
Given the nature of these attacks, several MITRE ATT&CK tactics could have been involved, including initial access through phishing or exploiting system vulnerabilities. Persistence mechanisms might have been leveraged to maintain a foothold within the targeted networks, and privilege escalation techniques could have been employed to gain higher-level access within those environments.
The situation underscores the persistent risk posed by sophisticated threat actors, particularly as they exploit known weaknesses in widely used software systems. Business owners need to be vigilant and proactive in their cybersecurity strategies, focusing on regular updates and employee training to mitigate risks associated with such vulnerabilities.
As developments unfold, it is crucial for organizations to remain informed and to implement protective measures that can fortify their defenses against emerging cyber threats.
