Trend Micro ZDI found extensive exploitation of ZDI-CAN-25373, a Windows shortcut vulnerability that lets crafted .lnk files hide malicious command-line arguments and execute payloads. The research says 11 state-sponsored groups from North Korea, Iran, Russia, and China used the flaw, with nearly half of the state-sponsored exploiters reportedly originating from North Korea. ZDI observed that a significant majority of North Korean intrusion sets had used the technique at different times, suggesting cross-collaboration, technique sharing, or tool sharing within North Korea’s cyber program. The campaigns were mainly associated with espionage and information theft, with financially motivated activity also present, and higher-risk sectors included financial and cryptocurrency organizations, think tanks and NGOs, telecommunications, military, and defense.