Microsoft has silently patched a long-standing Windows security flaw that allowed malicious shortcut files to execute hidden commands, a technique exploited by state-sponsored and cybercriminal groups for nearly a decade. Tracked as CVE-2025-9491, the vulnerability enabled attackers to craft .lnk shortcut files that concealed harmful command-line arguments using whitespace padding, making the „Target” field appear blank or harmless when viewed in Windows Properties. This deception tricked users into opening shortcuts that secretly ran malicious code, a method leveraged by at least 11 advanced persistent threat (APT) groups from North Korea, Iran, Russia, and China, as well as numerous cybercrime operations, according to Trend Micro research.
Despite initial dismissal by Microsoft as a „low severity” issue not warranting an urgent fix, the company reversed course and implemented a silent mitigation in its November 2025 Patch Tuesday updates. The fix modifies the Windows Properties dialog to display the full command line, eliminating the obfuscation technique. This change followed heightened awareness after Arctic Wolf Labs exposed an active espionage campaign in October 2025 by China-linked group UNC6384 (Mustang Panda), which used the flaw to target European diplomatic entities with spear-phishing emails disguised as NATO or European Commission workshop invitations, ultimately deploying the PlugX remote access trojan.
The vulnerability highlights the enduring appeal of LNK files as an attack vector: their small size often bypasses email filters, while their familiarity to users facilitates social engineering. Microsoft’s patch, though a critical step, does not eliminate the threat entirely, as unpatched systems remain vulnerable and previously compromised machines may still harbor undetected malware. The company maintains that its Defender antivirus and Smart App Control provide adequate protection, emphasizing user caution with unknown file sources. However, the widespread historical exploitation underscores the need for comprehensive updates and vigilant monitoring to defend against this stealthy attack method.
Ez a cikk a Neural News AI (V1) verziójával készült.
Forrás: https://www.theregister.com/2025/12/04/microsoft_lnk_bug_fix/.