Microsoft has quietly closed off a critical Windows shortcut file bug long abused by espionage and cybercrime networks.

The flaw, tracked as CVE-2025-9491, allows malicious .lnk shortcut files to hide harmful command-line arguments from users, enabling hidden code execution when a victim opens the shortcut.

Researchers at Trend Micro said in March that nearly a thousand malicious .lnk samples dating back to 2017 exploited this weakness across a mix of state-sponsored and cybercriminal campaigns worldwide. “Our analysis revealed that 11 state-sponsored groups from North Korea, Iran, Russia, and China have employed ZDI-CAN-25373 in operations primarily motivated by cyber espionage and data theft,” it said at the time.

The trick is deceptively simple: malicious commands are padded with whitespace (or other non-printing characters) so that when the shortcut’s properties are viewed in Windows, the “Target” field appears harmless – blank or ending in innocuous binaries – effectively concealing nefarious payloads.

Initial attempts by Trend Micro’s Zero Day Initiative (ZDI) to get the flaw patched were rebuffed by Microsoft, which argued that the flaw was “low severity” and did not meet the bar for servicing.

But the window of complacency has now closed. According to patch-watcher 0patch, Microsoft rolled out a “silent mitigation” in its November 2025 Patch Tuesday fix bundle. Post-update, Windows’ “Properties” dialog now reveals the full command, shutting down the obfuscation trick that attackers relied upon.

The timing of the fix is hardly incidental. In October, researchers at Arctic Wolf Labs disclosed that a China-linked espionage group, known as UNC6384 or “Mustang Panda,” had leveraged CVE-2025-9491 in a targeted campaign against European diplomatic entities in Hungary, Belgium, Italy, Serbia, and the Netherlands.

The attack chain started with spear-phishing emails posing as invitations to NATO or European Commission workshops. When a recipient opened what appeared to be a harmless shortcut, the hidden commands triggered obfuscated PowerShell scripts that dropped a multi-stage payload, culminating in the installation of the PlugX remote access trojan via DLL sideloading of legitimate, signed binaries. This gave the attackers persistent, stealthy access to the compromised systems.

The campaign underscores just how valuable the LNK format has become for attackers: short, seemingly innocuous files that bypass many email attachment filters, yet remain capable of full remote code execution through social engineering.

For defenders, Microsoft’s mitigation doesn’t mean the risk has vanished. The extensive history of exploitation dating back years suggests many systems may remain compromised – and until all affected Windows machines receive the update, the tactic remains dangerous in the wild. ®