Windows Zero-Day Exploited by Chinese Hackers

A newly discovered Windows zero-day vulnerability is being actively exploited by the Chinese Advanced Persistent Threat (APT) group Mustang Panda, according to recent findings by cybersecurity researchers.

Discovery of the Vulnerability

On Thursday, Israeli threat intelligence researchers disclosed that they had observed an active Windows vulnerability being leveraged by Mustang Panda. The exploit appears to be an unpatched zero-day, as no Common Vulnerabilities and Exposures (CVE) identifier has been assigned yet.

According to security analysts, Microsoft is aware of the flaw but has categorized it as low severity. However, given the active exploitation by a state-sponsored APT, security professionals argue that the risk may be greater than initially assessed.

Technical Details of the Exploit

The vulnerability has been described as a user interface (UI) flaw that impacts Windows Explorer. Researchers have shared preliminary technical details, revealing how compressed files are handled when extracted, leading to unintended security risks.

How the Vulnerability Works

• When files are extracted from RAR archives, they remain hidden from the user interface.
• If extracted into a folder, Windows Explorer incorrectly displays the folder as empty.
• However, when using the dir command in Command Prompt, the files appear but remain hidden from GUI-based interactions.
• Threat actors can execute these files via command-line if they know the exact file paths.
• Running attrib -s -h on system-protected files creates an unknown file type linked to an ActiveX component.
• This behavior enables threat actors to stealthily execute malicious payloads on a compromised system without being easily detected.

Mustang Panda’s Involvement

Mustang Panda is a well-known Chinese APT group that has been active for years, primarily targeting governments, NGOs, and high-profile organizations. The group is recognized for:

• Cyber espionage campaigns targeting Southeast Asia, Europe, and the United States.
• Using custom backdoors such as PlugX, Toneshell, and Cobalt Strike.
• Exploiting zero-day vulnerabilities and supply chain attacks.
• Conducting social engineering and spear-phishing campaigns.
• Security analysts believe the group’s exploitation of this Windows UI vulnerability aligns with its past tactics of using hidden payloads and obfuscated execution methods to gain persistent access to target systems.

Microsoft’s Response and Patch Status

Security researchers have reached out to Microsoft for comments, but an official response has yet to be issued. The company is reportedly investigating the issue, and a patch may be included in a future Patch Tuesday release.

As of now, Microsoft’s latest security update (February 2025 Patch Tuesday) has addressed over 50 vulnerabilities, including two other zero-days:

CVE-2025–21391 — A Windows Storage privilege escalation flaw that allows an attacker to delete files from a system.

CVE-2025–21418 — A Windows Ancillary Function driver vulnerability, which permits attackers to escalate privileges to System level.

The fact that Microsoft has not yet assigned a CVE to the Mustang Panda-exploited vulnerability raises concerns that it may still be under investigation or has not yet met their severity criteria for an emergency fix.

Potential Risks and Impact

While Microsoft has categorized the issue as low severity, researchers argue that it has significant implications, especially when used in targeted attacks.

Key Risks Associated with This Vulnerability

Stealthy Malware Execution — Attackers can deploy and execute files in hidden directories, avoiding detection by casual users and basic security tools.

Bypassing UI-Based Security Measures — Since the files are not visible in Windows Explorer, traditional security monitoring relying on GUI-based detection may not be effective.

Persistent Backdoor Deployment — The ActiveX-related exploit behavior may allow installation of persistent malware components, making it difficult to fully remove infections.

Advanced Targeted Attacks — Given Mustang Panda’s expertise in espionage operations, this vulnerability could be used to plant undetected surveillance tools.

Mitigation Strategies

Until Microsoft releases an official patch, organizations and users should implement best practices to mitigate potential attacks:

Disable ActiveX Controls — Since the exploit creates an unknown ActiveX component, disabling ActiveX in untrusted environments can limit execution risks.

Use Command-Line Tools for File Verification — Administrators should use PowerShell or Command Prompt (dir /a) to inspect extracted file locations.

Monitor Suspicious File Executions — Enable Windows Defender or third-party EDR tools to detect unauthorized command-line executions.

Block Potentially Malicious RAR File Sources — Since the exploit relies on RAR archives, organizations should restrict downloads from untrusted sources.

Regularly Update Security Software — Even without a Microsoft patch, endpoint protection solutions may release detection updates for this exploit.

Conclusion

The discovery of a new Windows zero-day being actively exploited by Mustang Panda highlights the growing risks of UI-based vulnerabilities in modern cyber threats. While Microsoft has not yet assigned a CVE, the fact that a sophisticated APT is using it suggests that it is more dangerous than its current low-severity classification implies.

Organizations should take proactive steps to harden their security postures, implement mitigations, and stay updated on Microsoft’s response. Given Mustang Panda’s track record of long-term cyber espionage, this vulnerability could be leveraged in high-profile, nation-state-backed campaigns, making it essential for cybersecurity teams to stay vigilant.