A newly discovered vulnerability in Microsoft Windows, identified by ClearSky Cyber Security, is reportedly being actively exploited by the Chinese state-sponsored Advanced Persistent Threat (APT) group Mustang Panda.
The vulnerability, which affects the Windows Explorer graphical user interface (GUI), has been classified as low-severity by Microsoft but poses significant risks due to its exploitation in targeted attacks.
The flaw involves how Windows handles files extracted from compressed “RAR” archives. When extracted into a folder, these files appear invisible in the Windows Explorer GUI, misleading users into believing the folder is empty.
However, the files can still be accessed and executed via command-line tools if their exact path is known.
For instance, using the dir command reveals these hidden files, and executing attrib -s -h on system-protected files results in the creation of an unknown file type associated with an “Unknown” ActiveX component.
This exploitation method allows threat actors to conceal malicious files within seemingly benign archives, bypassing detection and enabling stealthy execution of harmful payloads.
Mustang Panda, also known as Bronze President or RedDelta, is a well-documented Chinese APT group known for cyber espionage campaigns targeting governments, NGOs, and private organizations worldwide.
The group frequently employs spear-phishing emails and custom malware like PlugX to infiltrate systems and exfiltrate sensitive data.
Their operations often align with China’s geopolitical objectives, including intelligence gathering and strategic dominance. In this case, Mustang Panda is leveraging the Windows vulnerability to deliver malicious payloads.
Their tactics include embedding harmful files in compressed archives distributed through phishing campaigns or other deceptive methods. Once extracted, these files remain hidden from users but can be executed to compromise systems.
Despite its active exploitation by a sophisticated threat actor, Microsoft has categorized this vulnerability as low-severity.
This classification may reflect the specific conditions required for exploitation or the limited scope of potential damage compared to other critical vulnerabilities.
However, cybersecurity experts warn that such vulnerabilities can have significant implications when used as part of a broader attack chain.
This is an actively developing story. ClearSky Cyber Security has indicated that more technical details about the vulnerability and its exploitation will be published soon on their blog.
Organizations are advised to stay alert for updates and take proactive measures to protect their systems against potential threats.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
PortSwigger has announced the release of Burp Suite Professional and Community Edition 2025.2, introducing significant…
A subgroup of the Russian state-sponsored hacking group Seashell Blizzard, also known as Sandworm, has…
A newly uncovered cyber campaign, dubbed "BadPilot," has been linked to a subgroup of the…
Cybersecurity analysts have identified that hackers are leveraging the open-source Pyramid pentesting tool to establish…
Foreign adversaries, including Russia, China, and Iran, are intensifying their efforts to manipulate public opinion…
Netskope Threat Labs has uncovered a sophisticated phishing campaign targeting users across various industries, including…