A newly discovered vulnerability in Microsoft Windows, identified by ClearSky Cyber Security, is reportedly being actively exploited by the Chinese state-sponsored Advanced Persistent Threat (APT) group Mustang Panda.
The vulnerability, which affects the Windows Explorer graphical user interface (GUI), has been classified as low-severity by Microsoft but poses significant risks due to its exploitation in targeted attacks.
Details of the Vulnerability
The flaw involves how Windows handles files extracted from compressed “RAR” archives. When extracted into a folder, these files appear invisible in the Windows Explorer GUI, misleading users into believing the folder is empty.
However, the files can still be accessed and executed via command-line tools if their exact path is known.
For instance, using the dir command reveals these hidden files, and executing attrib -s -h on system-protected files results in the creation of an unknown file type associated with an “Unknown” ActiveX component.
This exploitation method allows threat actors to conceal malicious files within seemingly benign archives, bypassing detection and enabling stealthy execution of harmful payloads.
Mustang Panda’s Role
Mustang Panda, also known as Bronze President or RedDelta, is a well-documented Chinese APT group known for cyber espionage campaigns targeting governments, NGOs, and private organizations worldwide.
The group frequently employs spear-phishing emails and custom malware like PlugX to infiltrate systems and exfiltrate sensitive data.
Their operations often align with China’s geopolitical objectives, including intelligence gathering and strategic dominance. In this case, Mustang Panda is leveraging the Windows vulnerability to deliver malicious payloads.
Their tactics include embedding harmful files in compressed archives distributed through phishing campaigns or other deceptive methods. Once extracted, these files remain hidden from users but can be executed to compromise systems.
Despite its active exploitation by a sophisticated threat actor, Microsoft has categorized this vulnerability as low-severity.
This classification may reflect the specific conditions required for exploitation or the limited scope of potential damage compared to other critical vulnerabilities.
However, cybersecurity experts warn that such vulnerabilities can have significant implications when used as part of a broader attack chain.
This is an actively developing story. ClearSky Cyber Security has indicated that more technical details about the vulnerability and its exploitation will be published soon on their blog.
Organizations are advised to stay alert for updates and take proactive measures to protect their systems against potential threats.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
