According to MakeUseOf, Windows shortcut files (LNK files) are being actively exploited by state-sponsored hacking groups from Russia, China, Iran, and North Korea through vulnerability CVE-2025-9491. This flaw allows attackers to hide malicious commands in shortcuts that appear harmless, with CIRT.GY reporting about 1,000 malicious LNK files specifically crafted to exploit this vulnerability. The technique has been used since 2017 by multiple advanced persistent threat groups, targeting government entities and diplomats across Eastern Europe and beyond. Microsoft has decided this vulnerability “did not meet the bar for servicing” despite active exploitation, leaving users unprotected. Attackers disguise these files with familiar icons and names like “Report.pdf.lnk” while padding PowerShell commands with whitespace to conceal them from detection in file properties.
The hidden power of innocent-looking shortcuts
Here’s the thing about Windows shortcuts – we see those little curved arrows everywhere and think nothing of them. But they’re basically tiny programs in disguise. They can execute commands, load external DLLs, and run hidden scripts without you ever knowing. The file properties window only shows up to 255 characters of the target path, but LNK files can hold up to 4,096 characters. That’s a lot of room for hidden mischief.
Think about it – when was the last time you actually checked what a shortcut was really doing? Probably never. Attackers know this and use it to their advantage. They’ll make a shortcut look like a PDF document, but when you double-click it, you’re actually triggering PowerShell commands that download and install malware. It’s social engineering at its most effective because it plays on our assumptions about what these familiar files should do.
From phishing emails to state-sponsored espionage
This isn’t some theoretical threat – it’s happening right now in sophisticated cyber espionage campaigns. The XDSpy group conducted large-scale phishing attacks against Eastern European governments using these LNK files. Their shortcuts would trigger legitimate Microsoft-signed executables that then sideloaded malicious DLLs, installing payloads that captured screenshots, logged keystrokes, and stole sensitive data.
Then there’s UNC6384 targeting European diplomats with the same technique, delivering the PlugX remote-access trojan. These aren’t amateur hackers – we’re talking about well-funded state actors who’ve been using this method since 2017. The fact that this vulnerability has persisted for years while being exploited by multiple nation-state groups tells you everything about how effective it is.
Why Microsoft won’t fix the problem
So why hasn’t Microsoft patched this? Basically, they’ve decided it’s not worth fixing. Their official stance is that the vulnerability “did not meet the bar for servicing.” That’s corporate speak for “we’re not going to bother.” Instead, they’re relying on Microsoft Defender to detect malicious shortcuts and Smart App Control to block them.
But here’s the problem – that puts all the responsibility on detection being perfect. And we all know that antivirus software isn’t 100% effective. The real issue is that shortcuts are deeply embedded in Windows’ design. Changing how they work without breaking functionality would be incredibly difficult. So Microsoft is essentially saying “this is just how Windows works, deal with it.”
What you can actually do about it
Since Microsoft won’t save us, we have to save ourselves. First, be suspicious of any LNK files from untrusted sources, especially in ZIP attachments or email links. Don’t open files you weren’t expecting – that’s Security 101. For organizations, security teams can configure AppLocker or Group Policy to restrict shortcuts from launching PowerShell.
Individuals should take an extra step and actually check file properties more carefully. Look beyond the visible portion of the target field for trailing spaces or extra arguments. Keep your antivirus updated, but don’t assume it’s foolproof. The reality is that this threat persists because most people don’t question these files. Just being aware of what shortcuts can actually do puts you a step ahead of the attackers.
