{
    "type": "bundle",
    "id": "bundle--838d3a2d-0eb1-4f73-8584-e24f7baea824",
    "objects": [
        {
            "type": "identity",
            "spec_version": "2.1",
            "id": "identity--f124ebed-440c-493a-a454-005060f3b4d8",
            "created": "2023-03-08T12:51:57.814175Z",
            "modified": "2026-04-22T13:31:24.745811Z",
            "name": "TrendMicro",
            "identity_class": "organization"
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--ef8c8995-6817-4293-8a57-9eb855c608e8",
            "created": "2026-06-24T23:56:24.748429Z",
            "modified": "2026-06-24T23:56:24.748429Z",
            "name": "YARA Rule",
            "pattern": "rule ZTH_LNK_EXPLOIT_A\r\n{\r\nmeta:\r\nauthor = \"Peter Girnus\"\r\ndescription = \"This YARA file detects padded LNK files designed to exploit ZDI-CAN-25373.\"\r\nreference = \"<LINK_TO_BLOG>\"\r\ntarget_entity = \"file\"\r\nstrings:\r\n$magic = {4C 00 00 00 01 14 02 00}\r\n$spoof_a = {20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00}\r\n$spoof_b = {09 00 09 00 09 00 09 00 09 00 09 00 09 00 09 00 09 00 09 00 09 00 09 00 09 00 09 00 09 00 09 00 09 00 09 00 09 00 09 00 09 00 09 00 09 00 09 00 09 00 09 00 09 00 09 00 09 00 09 00 09 00 09 00 09 00 09 00 09 00 09 00 09 00 09 00 09 00 09 00}\r\n$spoof_c = {0A 00 0A 00 0A 00 0A 00 0A 00 0A 00 0A 00 0A 00 0A 00 0A 00 0A 00 0A 00 0A 00 0A 00 0A 00 0A 00 0A 00 0A 00 0A 00 0A 00 0A 00 0A 00 0A 00 0A 00 0A 00 0A 00 0A 00 0A 00 0A 00 0A 00 0A 00 0A 00 0A 00 0A 00 0A 00 0A 00 0A 00 0A 00 0A 00 0A 00}\r\n$spoof_d = {0D 00 0D 00 0D 00 0D 00 0D 00 0D 00 0D 00 0D 00 0D 00 0D 00 0D 00 0D 00 0D 00 0D 00 0D 00 0D 00 0D 00 0D 00 0D 00 0D 00 0D 00 0D 00 0D 00 0D 00 0D 00 0D 00 0D 00 0D 00 0D 00 0D 00 0D 00 0D 00 0D 00 0D 00 0D 00 0D 00 0D 00 0D 00 0D 00 0D 00}\r\n$spoof_e = {11 00 11 00 11 00 11 00 11 00 11 00 11 00 11 00 11 00 11 00 11 00 11 00 11 00 11 00 11 00 11 00 11 00 11 00 11 00 11 00 11 00 11 00 11 00 11 00 11 00 11 00 11 00 11 00 11 00 11 00 11 00 11 00 11 00 11 00 11 00 11 00 11 00 11 00 11 00 11 00}\r\n$spoof_f = {12 00 12 00 12 00 12 00 12 00 12 00 12 00 12 00 12 00 12 00 12 00 12 00 12 00 12 00 12 00 12 00 12 00 12 00 12 00 12 00 12 00 12 00 12 00 12 00 12 00 12 00 12 00 12 00 12 00 12 00 12 00 12 00 12 00 12 00 12 00 12 00 12 00 12 00 12 00 12 00}\r\n$spoof_g = {13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00 13 00}\r\n$spoof_h = {0D 00 0A 00 0D 00 0A 00 0D 00 0A 00 0D 00 0A 00 0D 00 0A 00 0D 00 0A 00 0D 00 0A 00 0D 00 0A 00 0D 00 0A 00 0D 00 0A 00 0D 00 0A 00 0D 00 0A 00 0D 00 0A 00 0D 00 0A 00 0D 00 0A 00 0D 00 0A 00 0D 00 0A 00 0D 00 0A 00 0D 00 0A 00 0D 00 0A 00}\r\ncondition:\r\n$magic at 0x00 and ($spoof_a or $spoof_b or $spoof_c or $spoof_d or $spoof_e or $spoof_f or $spoof_g or $spoof_h)\r\n}",
            "pattern_type": "yara",
            "valid_from": "2025-03-18T00:00:00Z"
        },
        {
            "type": "threat-actor",
            "spec_version": "2.1",
            "id": "threat-actor--957f6387-2793-537f-bd20-14ccbe18841e",
            "created": "2026-06-24T23:56:24.752617Z",
            "modified": "2026-06-24T23:56:24.752617Z",
            "name": "EarthImp"
        },
        {
            "type": "threat-actor",
            "spec_version": "2.1",
            "id": "threat-actor--b8dba51b-ecc8-571c-9f18-df6bed2eb3b6",
            "created": "2026-06-24T23:56:24.75486Z",
            "modified": "2026-06-24T23:56:24.75486Z",
            "name": "EarthKumiho"
        },
        {
            "type": "threat-actor",
            "spec_version": "2.1",
            "id": "threat-actor--be765a68-f6aa-50d1-b4f8-d60e707774c2",
            "created": "2026-06-24T23:56:24.757054Z",
            "modified": "2026-06-24T23:56:24.757054Z",
            "name": "EarthManticore"
        },
        {
            "type": "threat-actor",
            "spec_version": "2.1",
            "id": "threat-actor--d8928b3b-7751-5c41-876f-0ea50694afcb",
            "created": "2026-06-24T23:56:24.7592Z",
            "modified": "2026-06-24T23:56:24.7592Z",
            "name": "VoidImugi"
        },
        {
            "type": "report",
            "spec_version": "2.1",
            "id": "report--0d9d49a5-7581-4670-9155-fe3517850cac",
            "created_by_ref": "identity--f124ebed-440c-493a-a454-005060f3b4d8",
            "created": "2026-06-24T23:56:24.760144Z",
            "modified": "2026-06-24T23:56:24.760144Z",
            "name": "ZDI-CAN-25373 Windows Shortcut Exploit Abused as Zero-Day in Widespread APT Campaigns",
            "published": "2025-03-18T00:00:00Z",
            "object_refs": [
                "identity--f124ebed-440c-493a-a454-005060f3b4d8",
                "indicator--ef8c8995-6817-4293-8a57-9eb855c608e8",
                "threat-actor--957f6387-2793-537f-bd20-14ccbe18841e",
                "threat-actor--b8dba51b-ecc8-571c-9f18-df6bed2eb3b6",
                "threat-actor--be765a68-f6aa-50d1-b4f8-d60e707774c2",
                "threat-actor--d8928b3b-7751-5c41-876f-0ea50694afcb"
            ],
            "external_references": [
                {
                    "source_name": "source",
                    "url": "https://www.trendmicro.com/en_us/research/25/c/windows-shortcut-zero-day-exploit.html"
                }
            ]
        }
    ]
}