Microsoft has silently "mitigated" a high-severity Windows LNK vulnerability exploited by multiple state-backed and cybercrime hacking groups in zero-day attacks.
Tracked as CVE-2025-9491, this security flaw allows attackers to hide malicious commands within Windows LNK files, which can be used to deploy malware and gain persistence on compromised devices. However, the attacks require user interaction to succeed, as they involve tricking potential victims into opening malicious Windows Shell Link (.lnk) files.
Threat actors distribute these files in ZIP or other archives because email platforms commonly block .lnk attachments due to their risky nature.
The vulnerability lies in how Windows handles .LNK files, allowing threat actors to exploit the way the operating system displays them to evade detection and execute code on vulnerable devices without the user's knowledge by padding the Target field in Windows .LNK files with whitespaces to hide malicious command-line arguments.
This ensures that the file's Target field properties display only the first 260 characters due to the added whitespaces, so users can't see the actual command executed when the LNK file is double-clicked.
As Trend Micro threat analysts discovered in March 2025, the CVE-2025-9491 was already being widely exploited by 11 state-sponsored groups and cybercrime gangs, including Evil Corp, Bitter, APT37, APT43 (also known as Kimsuky), Mustang Panda, SideWinder, RedHotel, Konni, and others.
"Diverse malware payloads and loaders like Ursnif, Gh0st RAT, and Trickbot have been tracked in these campaigns, with malware-as-a-service (MaaS) platforms complicating the threat landscape," Trend Micro said.
Arctic Wolf Labs also reported in October that the Chinese state-backed Mustang Panda hacking group was exploiting this Windows vulnerability in zero-day attacks targeting European diplomats in Hungary, Belgium, and other European nations to deploy the PlugX remote access trojan (RAT) malware.
Malicious arguments not showing in the Target field (Trend Micro)
Microsoft pushes silent "patch"
... continue reading