Shortcuts (LNK files) in Windows are indicated by curved arrows. We often treat them as background noise and don’t consider what they actually do beyond opening apps. In fact, there is a huge gap between what you think shortcuts do and what they’re capable of under the hood.
They can be very powerful. Shortcuts can execute commands, load external DLLs, and run hidden scripts—all without the user realizing. This versatility is what makes them a handy yet dangerous tool for some of the most persistent and easy attacks on Windows.
What makes LNK files more than just shortcuts
How a “shortcut” can trigger hidden commands
Although an LNK file typically contains the path to a program, it can also embed command-line arguments, specify programs to run, and call system tools like PowerShell or cmd.exe.
Attackers can choose familiar icons, give them names like “Report.pdf.lnk,” and, in some cases, prevent harmful parts from appearing in the file’s properties by padding their command strings with whitespace. This means that even when you’re facing a stealthy attack, you may assume you’re only opening a harmless document.
The file properties window doesn’t always display full commands. It only displays part of the target path—usually up to 255 characters—even though an LNK file can hold far more (up to 4,096 characters). This makes it harder for the average person to spot malicious arguments. This ability to conceal execution is what makes LNK files a surprisingly potent vector for attackers.
Why this vulnerability has drawn serious attention
The real-world scale and scope
CVE-2025-9491 is a vulnerability found in LNK files that allows attackers to hide commands in the shortcut file. This technique has been exploited since 2017 by multiple advanced persistent threat (APT) groups. CIRT.GY reports about 1,000 malicious LNK files crafted to exploit this very vulnerability.
This is more than a niche hack or theoretical problem. As Cyber Insider reports, it’s become a real-world, state-sponsored tool with groups from Iran, Russia, North Korea, and China taking advantage of it for data theft and espionage. Even though it’s been an active vulnerability for years, Microsoft has still not fixed it.
How attackers use LNK exploits in modern cyber espionage
From spear-phishing to zero-click execution
One notable LNK exploit reported by Cyber Press was carried out by the XDSpy group. They conducted large-scale phishing attacks with LNK files against government entities in Eastern Europe. They embedded PowerShell commands padded with whitespace; these commands ran as soon as the shortcut was triggered.
These exploits were severe because the LNK file wasn’t merely launching a file, but triggering a legitimate Microsoft-signed executable. In turn, the legitimate executable sideloaded a malicious DLL that installed the XDigo payload, which took screenshots, captured keystrokes, and stole data.
There’s also the UNC6384 threat actor, which Cybersecurity News reports to be targeting European diplomats. The attack also pads PowerShell commands with white spaces, obscuring them from detection, and delivers the PlugX remote-access trojan.
All these attacks show that LNK exploitation is a mature and widely abused method for delivering stealthy malware with persistent access.
Why Microsoft hasn’t fully fixed the problem
Patches address symptoms, but the design remains risky
While this LNK vulnerability seems to be a serious threat, it has not been fully fixed by Microsoft. In fact, according to Help Net Security, Microsoft has decided that this vulnerability “did not meet the bar for servicing.”
However, it’s important to note that shortcuts are integral to the OS and deeply embedded in Windows. The way they launch programs with arguments is a normal part of the operating system’s behavior, and patching out this process without breaking functionality would be very difficult.
Microsoft is relying on threat detection rather than a full code change. According to Forbes, Microsoft’s stance is that Microsoft Defender can flag these malicious shortcuts, and Smart App Control can block them. However, you have to trust that detection is 100% reliable, and this approach also has a high reliance on user behavior.
What remains constant is that this vulnerability isn’t a simple bug that can just be patched, but a risk that’s part of the operating system’s design, and it won’t go away as long as LNK files can carry hidden commands.
What you can do now to protect yourself
Practical steps for users and organizations
If Microsoft does not fully address this flaw, you should, as far as possible, take protective steps yourself. A combination of vigilance and configuration remains your best shot. You should be wary of LNK files, especially when the source is untrusted or when they arrive as ZIP attachments or via email links/attachments. Don’t open links or files if you weren’t expecting them—that’s email security 101.
A second measure is restricting when LNK files can run on your device. In enterprise environments, security teams may configure AppLocker, Group Policy, or advanced endpoint tools to restrict shortcuts from launching PowerShell or similar programs. However, individuals have to rely on an up-to-date antivirus. Windows Security is aware of this threat and should suffice.
But you should take an extra step and check file properties more carefully. Examine the target field beyond its visible portion (look for trailing spaces or extra arguments). Update your OS, but don’t assume an update automatically fixes this threat.
I secured my email with encryption — for free
Added layers of security for nothing.
A threat that’s easier to outsmart than it looks
This isn’t meant to instill fear. The takeaway is clarity. Attackers rely on LNK files to good effect only because most people don’t care to question these files. Just understanding what shortcuts potentially carry prompts you to treat them differently and puts you a step ahead.
Even though Microsoft is not entirely eliminating this risk, you only need to be more curious and less trusting of strange files to stay safe.