By Carly Page
Publication Date: 2025-12-04 15:01:00
Microsoft has quietly closed off a critical Windows shortcut file bug long abused by espionage and cybercrime networks.
The flaw, tracked as CVE-2025-9491, allows malicious .lnk shortcut files to hide harmful command-line arguments from users, enabling hidden code execution when a victim opens the shortcut.
Researchers at Trend Micro said in March that nearly a thousand malicious .lnk samples dating back to 2017 exploited this weakness across a mix of state-sponsored and cybercriminal campaigns worldwide. “Our analysis revealed that 11 state-sponsored groups from North Korea, Iran, Russia, and China have employed ZDI-CAN-25373 in operations primarily motivated by cyber espionage and data theft,” it said at the time.
The trick is deceptively simple: malicious commands are padded with whitespace (or other non-printing characters) so that when the shortcut’s properties are viewed in Windows, the “Target” field…
