Microsoft quietly shuts down Windows shortcut flaw after years of espionage abuse

Steven

Microsoft quietly shuts down Windows shortcut flaw after years of espionage abuse

Summary

Microsoft has silently mitigated a long‑abused Windows shortcut (.lnk) vulnerability tracked as CVE-2025-9491. Attackers used padding with whitespace or non-printing characters in the shortcut Target field to hide malicious command‑line arguments, enabling hidden code execution when users opened the files. Trend Micro’s research found nearly 1,000 malicious .lnk samples dating back to 2017 and involvement by multiple state‑sponsored groups. After initially classing the issue as low severity, Microsoft issued a November Patch Tuesday mitigation that now reveals the full command in the Properties dialog, preventing the obfuscation trick.

The flaw was used in targeted espionage campaigns, including activity by China‑linked UNC6384 (Mustang Panda), which delivered PlugX via spear‑phishing lures and DLL sideloading of signed binaries. While the mitigation closes the UI concealment, many systems may still be compromised and remain at risk until updates are widely applied and incidents investigated.

Key Points

  • CVE-2025-9491 allowed attackers to hide malicious arguments in .lnk shortcut Target fields using whitespace or non‑printing characters.
  • Trend Micro identified almost 1,000 malicious .lnk samples from 2017 onwards; multiple state‑sponsored groups exploited the flaw for espionage and data theft.
  • Microsoft initially declined to patch the issue as a serviced bug but rolled out a silent mitigation in November 2025 that displays the full command in the Properties dialog.
  • Campaigns such as UNC6384 used spear‑phishing to deliver obfuscated PowerShell and ultimately the PlugX RAT via DLL sideloading of signed binaries.
  • The UI fix prevents further obfuscation, but defenders must still patch systems, hunt for legacy compromises and investigate suspicious shortcuts and email lures.

Why should I read this?

Short version: if you run Windows, this affected you and attackers have used it for years. Microsoft has now closed the sneaky trick that hid malicious commands in .lnk files, but that doesn’t mean you’re safe yet — patch, poke around for trouble, and tell your users not to trust odd shortcut files. We’ve saved you the digging.

Context and Relevance

This fix matters because .lnk files are tiny, trusted‑looking attachments that often bypass filters and social engineering checks. Their long history of abuse shows how small UI or parsing quirks can become powerful espionage tools when weaponised at scale. The mitigation is a useful defensive step, but organisations should treat this as an incident‑response and patch‑management priority: deploy updates, scan for indicators of compromise (spear‑phish lures, unusual signed binary loads, PlugX artefacts) and educate staff about shortcut attachments.

Source

Source: https://go.theregister.com/feed/www.theregister.com/2025/12/04/microsoft_lnk_bug_fix/