Back to Blog
CVE-2026-25373: Windows Shortcut — AI Malware Enables Stealth Espionage (June 2024)
vulnerabilities

CVE-2026-25373: Windows Shortcut — AI Malware Enables Stealth Espionage (June 2024)

breachwire TeamJul 8, 20262 min read

CVE-2026-25373 — Windows Shortcut Vulnerability

CVE-2026-25373 is a high-severity vulnerability in Windows shortcut handling, actively exploited by the Armored Likho (Eagle Werewolf) APT group. Attackers leverage this flaw to deliver AI-generated malware, including obfuscated remote access trojans (RATs) and the BusySnake Stealer, enabling full host compromise, credential exfiltration, and persistent espionage. No official CVSS score is published, but exploitation is confirmed in the wild.

Attack Vector

The campaign begins with spear-phishing emails containing malicious Windows shortcut files (.lnk) that exploit CVE-2026-25373. Upon execution, the shortcut triggers a multi-stage infection: a Python-based infostealer and keylogger are deployed, followed by RATs that establish stealthy C2 channels. The malware exfiltrates browser credentials, cookies, cryptocurrency keys, and sensitive documents, while persistent background tasks maintain access. Social engineering lures and novel obfuscation techniques hinder detection. Indicators of compromise include suspicious .lnk file activity, unexpected Python process launches, and outbound connections to attacker infrastructure.

Who Is at Risk

Government agencies and electric power organizations in Russia, Kazakhstan, and Brazil are confirmed targets. Any Windows environment exposed to email-based attacks is vulnerable, especially those lacking recent security updates or advanced endpoint monitoring. The campaign is global in scope, with critical infrastructure and government networks at highest risk.

Patch & Mitigate

  • Patch: Apply the latest Microsoft security updates addressing shortcut file handling as soon as released. No official patch is available as of June 2024; monitor vendor advisories.
  • Workaround: Block execution of .lnk files from untrusted sources and restrict Python interpreter access on endpoints where not required.
  • Detect: Monitor for anomalous .lnk file executions, creation of unauthorized Python processes, and outbound traffic to known Armored Likho C2 domains/IPs. Review logs for credential access and suspicious persistence mechanisms.

MITRE ATT&CK

  • TA0001 — Initial Access: Spear-phishing with malicious .lnk files enables initial compromise.
  • TA0006 — Credential Access: Infostealer modules extract browser credentials and sensitive data.
  • TA0009 — Collection: Keylogger and RAT components facilitate ongoing data theft and espionage.

Source: https://securityaffairs.com/194854/apt/ai-generated-malware-powers-new-armored-likho-apt-campaign.html

Start Your 14-Day Free Trial

Get curated cyber intelligence delivered to your inbox every morning at 6 AM. No credit card required.

Get Started Free
Share this article: