Windows 2017 Zero-Day Vulnerability Exploited by 11 State-Sponsored Threat Groups
An unpatched security vulnerability impacting Microsoft Windows has been exploited by 11 state-sponsored threat groups since 2017. The zero-day vulnerability, which is tracked as ZDI-CAN-25373 by Trend Micro’s Zero Day Initiative (ZDI), refers to a flaw within Windows which allows malicious actors to execute hidden malicious commands on a target machine by utilising crafted Windows Shortcut or Shell Link (.LNK) files.
The attacks utilise hidden command line arguments within the LNK files to execute malicious payloads on the target system, which can complicate detections as this involves the padding of the arguments with Line Feed (\x0A) and Carriage Return (\x0D) characters to evade detection.
Since 2017, nearly 1000 LNK file artifacts exploiting the zero day have been discovered, with a majority of the samples linked to Evil Corp (Water Asena), Kimsuky (Earth Kumiho), Konni (Earth Imp), Bitter (Earth Anansi), and ScarCruft (Earth Manticore).
Telemetry data from each known instance of exploitation suggests that governments, think tanks, telecommunication service providers, private entities, financial organisations, and military/defence agencies located in the United States, Canada, Russia, South Korea, Vietnam, and Brazil are the primary targets of these attacks which have been leveraging this zero-day vulnerability.
In the data investigated by ZDI, it was seen that the LNK files act as a delivery vehicle for different malware variants including Lumma, Remcos RAT and GuLoader.
Microsoft has classified the issue as Low Severity and does not plan to release a fix for this issue.
Microsoft has recently called attention to a remote access trojan (RAT) dubbed StilachiRAT, which employs advanced techniques to fly under the radar of detection and persist within a target environment with the ultimate goal of stealing sensitive data from the target.
The malware is built to steal information from the system it has targeted, including credentials from browser data, digital wallet information, system information and data stored within the system clipboard, just to name a few.
Microsoft has stated that it first discovered the RAT in November 2024, with the RAT present within a DLL module named “WWStartupCtrl64.dll”. At this moment in time, the RAT has not been attributed to any specific threat actors or nation-states.
As it stands, it is not clear how the malware is delivered to it’s targets. However, Microsoft have noted that trojans can be installed via a multitude of methods including initial access routes, making it imperative that organisations implement suitable and reliable security measures.
StilachiRAT has been designed to steal a whole bunch of data from the target system including operating system details, hardware identifiers, active remote desktop protocol sessions, running graphical user interface applications and the presence of any cameras (e.g. webcams). The malware is also designed to target a list of specific cryptocurrency wallet extensions found within Google Chrome. The list includes Bitget Wallet, Trust Wallet, TronLink, MetaMask, TokenPocket, BNB Chain Wallet, OKX Wallet, Sui Wallet, Braavos – Starknet Wallet, Coinbase Wallet, Leap Cosmos Wallet, Manta Wallet, Keplr, Phantom, Compass Wallet for Sei, Math Wallet, Fractal Wallet, Station Wallet, ConfluxPortal, and Plug.
It’s also worth noting that this malware periodically extracts any credentials found within the target system via connections to a remote command-and-control server. This server also works two ways, meaning the malicious actor can use it to extract data from the target system while also sending instructions to the malware.
SystemBC and AndroxGh0st: The Evolution of Exploitation
Cyber threats don’t simply disappear – they evolve, resurface, and exploit the gaps left behind. SystemBC and AndroxGh0st serve as the latest reminders that old vulnerabilities remain a prime target for attackers. Like EternalBlue, which we covered in our 11th December bulletin, these botnets demonstrate that threat actors don’t always need zero-days when unpatched systems and misconfigurations provide easy access.
The key takeaway? A patch alone doesn’t close the door on risk. Without continuous monitoring and a proactive security strategy, yesterday’s vulnerabilities can quickly become today’s attack vector. SystemBC and AndroxGh0st reinforce a familiar lesson – if a weakness was once exploitable, it will be again unless defences evolve faster than the threat.
SystemBC: A persistent tool for stealth and control
What started as just another malware in 2019 has now evolved into a Swiss army knife for cyber criminals. SystemBC, a Tor-enabled proxy botnet, allows attackers to cloak their operations in encryption, evade detection, and execute malicious payloads with unmatched stealth. Originally associated with ransomware affiliates, it has since become a favoured tool in APT campaigns targeting critical infrastructure.
Recent attacks against power generation companies reveal how SystemBC is deployed to facilitate Cobalt Strike beaconing, conduct deep reconnaissance, and siphon sensitive data. This aligns with a larger strategy observed in espionage and ransomware operations, where SystemBC serves as a silent enabler for QakBot, LockBit ransomware, and other payloads that cripple organisations.
SystemBC flourishes in environments where patching and segmentation take a backseat, allowing attackers to recycle the same exploit chains with devastating consequences. In short, if it finds an open door, it won’t hesitate to let even more threats in.
Key MITRE Attack Techniques:
Exploiting unpatched vulnerabilities (T1190)
PowerShell-based payload execution (T1059.001)
C2 communications over Tor (T1090.003)
AndroxGh0st: The rise of API and cloud exploitation
AndroxGh0st has evolved rapidly since its emergence in January 2024, resurfacing with advanced capabilities and a broader attack surface. Initially targeting Laravel-based applications and cloud environments like AWS, Twilio, Office 365, and SendGrid, it has expanded its focus to over 20 vulnerabilities across Cisco ASA, Atlassian JIRA, PHP frameworks, and IoT devices. By exploiting weak authentication and misconfigurations, AndroxGh0st enables unauthorised access and remote code execution, putting both web servers and IoT networks at risk.
Recent research highlights operational overlap between AndroxGh0st and the Mozi botnet, a well-known IoT-focused malware. This collaboration expands AndroxGh0st’s reach, enabling persistence and shared infrastructure to facilitate widespread exploitation. With its growing sophistication and integration of malware persistence tactics, attackers can maintain long-term footholds in compromised environments, further increasing the difficulty of detection and mitigation.
Like an opportunistic burglar testing every door in the neighbourhood, AndroxGh0st thrives on overlooked weaknesses, proving that even old vulnerabilities can be given a new lease on life in the wrong hands.
Key MITRE Attack Techniques:
Credential theft from exposed cloud services (T1552)
Abuse of API keys and authentication tokens (T1528)
Lateral movement within cloud environments (T1570)
Closing the loop on cyber threats
SystemBC and AndroxGh0st aren’t just lurking in the background, they’re actively hunting for gaps in security, exploiting weaknesses across industries, with critical infrastructure and tech-heavy sectors firmly in their crosshairs. As these attacks grow more sophisticated and relentless, one thing is clear: staying ahead isn’t just about patching the latest CVE, it’s about outpacing the attackers with a proactive, full-circle approach to vulnerability management.
