"Researchers at Trend Micro said in March that nearly a thousand malicious .lnk samples dating back to 2017 exploited this weakness across a mix of state-sponsored and cybercriminal campaigns worldwide. "Our analysis revealed that 11 state-sponsored groups from North Korea, Iran, Russia, and China have employed ZDI-CAN-25373 in operations primarily motivated by cyber espionage and data theft," it said at the time."
"Initial attempts by Trend Micro's Zero Day Initiative (ZDI) to get the flaw patched were rebuffed by Microsoft, which argued that the flaw was "low severity" and did not meet the bar for servicing. But the window of complacency has now closed. According to patch-watcher 0patch, Microsoft rolled out a "silent mitigation" in its November 2025 Patch Tuesday fix bundle. Post-update, Windows' "Properties" dialog now reveals the full command, shutting down the obfuscation trick that attackers relied upon."
An input-parsing flaw in Windows .lnk shortcut handling (CVE-2025-9491) allowed malicious .lnk files to hide harmful command-line arguments and execute concealed code when opened. Nearly a thousand malicious .lnk samples dating back to 2017 exploited the weakness across state-sponsored and cybercriminal campaigns, including 11 nation-linked groups. Attackers padded command strings with whitespace or non-printing characters so the Properties Target field appeared harmless. Initial patch requests were rejected as low severity, but Microsoft deployed a silent mitigation in the November 2025 Patch Tuesday that reveals the full command in the Properties dialog. A China-linked group (UNC6384/Mustang Panda) used the flaw in spear-phishing attacks targeting European diplomatic entities.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]