Microsoft quietly shuts down Windows shortcut flaw after years of espionage abuse
(2025/12/04)
- Reference: 1764860464
- News link: https://www.theregister.co.uk/2025/12/04/microsoft_lnk_bug_fix/
- Source link:
Microsoft has quietly closed off a critical Windows shortcut file bug long abused by espionage and cybercrime networks.
The flaw, tracked as CVE-2025-9491, allows malicious .lnk shortcut files to hide harmful command-line arguments from users, enabling hidden code execution when a victim opens the shortcut.
Researchers at [1]Trend Micro said in March that nearly a thousand malicious .lnk samples dating back to 2017 exploited this weakness across a mix of state-sponsored and cybercriminal campaigns worldwide. "Our analysis revealed that 11 state-sponsored groups from North Korea, Iran, Russia, and China have employed ZDI-CAN-25373 in operations primarily motivated by cyber espionage and data theft," it said at the time.
[2]
The trick is deceptively simple: malicious commands are padded with whitespace (or other non-printing characters) so that when the shortcut's properties are viewed in Windows, the "Target" field appears harmless – blank or ending in innocuous binaries – effectively concealing nefarious payloads.
[3]
[4]
Initial [5]attempts by Trend Micro's Zero Day Initiative (ZDI) to get the flaw patched were rebuffed by Microsoft, which argued that the flaw was "low severity" and did not meet the bar for servicing.
But the window of complacency has now closed. [6]According to patch-watcher 0patch , Microsoft rolled out a "silent mitigation" in its November 2025 Patch Tuesday fix bundle. Post-update, Windows' "Properties" dialog now reveals the full command, shutting down the obfuscation trick that attackers relied upon.
[7]'Exploitation is imminent' as 39 percent of cloud environs have max-severity React hole
[8]Two Android 0-day bugs disclosed and fixed, plus 105 more to patch
[9]University of Pennsylvania joins list of victims from Clop's Oracle EBS raid
[10]Botnet takes advantage of AWS outage to smack 28 countries
The timing of the fix is hardly incidental. In October, researchers at Arctic Wolf Labs [11]disclosed that a China-linked espionage group, known as UNC6384 or "Mustang Panda," had leveraged CVE-2025-9491 in a targeted campaign against European diplomatic entities in Hungary, Belgium, Italy, Serbia, and the Netherlands.
The attack chain started with spear-phishing emails posing as invitations to NATO or European Commission workshops. When a recipient opened what appeared to be a harmless shortcut, the hidden commands triggered obfuscated PowerShell scripts that dropped a multi-stage payload, culminating in the installation of the PlugX remote access trojan via DLL sideloading of legitimate, signed binaries. This gave the attackers persistent, stealthy access to the compromised systems.
[12]
The campaign underscores just how valuable the LNK format has become for attackers: short, seemingly innocuous files that bypass many email attachment filters, yet remain capable of full remote code execution through social engineering.
For defenders, Microsoft's mitigation doesn't mean the risk has vanished. The extensive history of exploitation dating back years suggests many systems may remain compromised – and until all affected Windows machines receive the update, the tactic remains dangerous in the wild. ®
Get our [13]Tech Resources
[1] https://www.trendmicro.com/en_us/research/25/c/windows-shortcut-zero-day-exploit.html
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aTG-Jk7lnxrSRDd2pRmNTgAAABY&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aTG-Jk7lnxrSRDd2pRmNTgAAABY&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aTG-Jk7lnxrSRDd2pRmNTgAAABY&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://www.zerodayinitiative.com/advisories/ZDI-25-148/
[6] https://blog.0patch.com/2025/12/microsoft-silently-patched-cve-2025.html
[7] https://www.theregister.com/2025/12/03/exploitation_is_imminent_react_vulnerability/
[8] https://www.theregister.com/2025/12/02/android_0_days/
[9] https://www.theregister.com/2025/12/02/clop_university_of_pennsylvania/
[10] https://www.theregister.com/2025/11/26/miraibased_botnet_shadowv2/
[11] https://arcticwolf.com/resources/blog/unc6384-weaponizes-zdi-can-25373-vulnerability-to-deploy-plugx/
[12] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aTG-Jk7lnxrSRDd2pRmNTgAAABY&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[13] https://whitepapers.theregister.com/
The flaw, tracked as CVE-2025-9491, allows malicious .lnk shortcut files to hide harmful command-line arguments from users, enabling hidden code execution when a victim opens the shortcut.
Researchers at [1]Trend Micro said in March that nearly a thousand malicious .lnk samples dating back to 2017 exploited this weakness across a mix of state-sponsored and cybercriminal campaigns worldwide. "Our analysis revealed that 11 state-sponsored groups from North Korea, Iran, Russia, and China have employed ZDI-CAN-25373 in operations primarily motivated by cyber espionage and data theft," it said at the time.
[2]
The trick is deceptively simple: malicious commands are padded with whitespace (or other non-printing characters) so that when the shortcut's properties are viewed in Windows, the "Target" field appears harmless – blank or ending in innocuous binaries – effectively concealing nefarious payloads.
[3]
[4]
Initial [5]attempts by Trend Micro's Zero Day Initiative (ZDI) to get the flaw patched were rebuffed by Microsoft, which argued that the flaw was "low severity" and did not meet the bar for servicing.
But the window of complacency has now closed. [6]According to patch-watcher 0patch , Microsoft rolled out a "silent mitigation" in its November 2025 Patch Tuesday fix bundle. Post-update, Windows' "Properties" dialog now reveals the full command, shutting down the obfuscation trick that attackers relied upon.
[7]'Exploitation is imminent' as 39 percent of cloud environs have max-severity React hole
[8]Two Android 0-day bugs disclosed and fixed, plus 105 more to patch
[9]University of Pennsylvania joins list of victims from Clop's Oracle EBS raid
[10]Botnet takes advantage of AWS outage to smack 28 countries
The timing of the fix is hardly incidental. In October, researchers at Arctic Wolf Labs [11]disclosed that a China-linked espionage group, known as UNC6384 or "Mustang Panda," had leveraged CVE-2025-9491 in a targeted campaign against European diplomatic entities in Hungary, Belgium, Italy, Serbia, and the Netherlands.
The attack chain started with spear-phishing emails posing as invitations to NATO or European Commission workshops. When a recipient opened what appeared to be a harmless shortcut, the hidden commands triggered obfuscated PowerShell scripts that dropped a multi-stage payload, culminating in the installation of the PlugX remote access trojan via DLL sideloading of legitimate, signed binaries. This gave the attackers persistent, stealthy access to the compromised systems.
[12]
The campaign underscores just how valuable the LNK format has become for attackers: short, seemingly innocuous files that bypass many email attachment filters, yet remain capable of full remote code execution through social engineering.
For defenders, Microsoft's mitigation doesn't mean the risk has vanished. The extensive history of exploitation dating back years suggests many systems may remain compromised – and until all affected Windows machines receive the update, the tactic remains dangerous in the wild. ®
Get our [13]Tech Resources
[1] https://www.trendmicro.com/en_us/research/25/c/windows-shortcut-zero-day-exploit.html
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aTG-Jk7lnxrSRDd2pRmNTgAAABY&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aTG-Jk7lnxrSRDd2pRmNTgAAABY&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aTG-Jk7lnxrSRDd2pRmNTgAAABY&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://www.zerodayinitiative.com/advisories/ZDI-25-148/
[6] https://blog.0patch.com/2025/12/microsoft-silently-patched-cve-2025.html
[7] https://www.theregister.com/2025/12/03/exploitation_is_imminent_react_vulnerability/
[8] https://www.theregister.com/2025/12/02/android_0_days/
[9] https://www.theregister.com/2025/12/02/clop_university_of_pennsylvania/
[10] https://www.theregister.com/2025/11/26/miraibased_botnet_shadowv2/
[11] https://arcticwolf.com/resources/blog/unc6384-weaponizes-zdi-can-25373-vulnerability-to-deploy-plugx/
[12] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aTG-Jk7lnxrSRDd2pRmNTgAAABY&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[13] https://whitepapers.theregister.com/
Re: I call bullshit
wolfetone
Yeah but the USA don't need to get the backdoors. Micro$oft just gives them the key and they let themselves in.
WT...
The Mole
Why would an email filter let a lnk file through at all? I can't see a legitimate use of sending one (either send a url, send the file to be opened or give instructions on how to open the file).
If someone is going to open a lnk file received in an email then I very much doubt that they would go to the effort to view its properties to see what it opens anyway.
I call bullshit
>> Our analysis revealed that 11 state-sponsored groups from North Korea, Iran, Russia, and China
Blah blah blah. And what about the USA doing the same? MS is spyware for the American regime. It even admits as much.