Attackers have abused CVE-2025-9491, a flaw in how Windows displays shortcut file properties, since 2017, to hide malicious commands in .LNK files during real-world campaigns.
This issue, tracked as ZDI-25-148 or ZDI-CAN-25373, allows threat actors to craft shortcuts that appear benign when users check their properties, leading to code execution when they are opened.
Threat groups like UNC6384 targeted European diplomats in late 2025 using this technique to deploy PlugX malware.
Discovery and Exploitation Timeline
Trend Micro researchers Peter Girnus and Aliakbar Zahravi disclosed the problem in March 2025 after spotting nearly 1,000 malicious .LNK files in APT and cybercrime operations.
The core trick involves padding the Target field with whitespace, such as spaces, to push harmful commands, like “calc.exe”, beyond the visible area in the Properties dialog.
Windows Explorer’s dialog focuses on the command’s end, showing only spaces if the command is sufficiently padded.
Scrolling fails to reveal the whole string due to truncation at 260 characters the MAX_PATH limit despite the .LNK spec supporting up to 32KB.
Microsoft received notification but deemed it unworthy of a security patch, citing user warnings such as the Mark of the Web.
Interest reignited in October 2025 when Arctic Wolf detailed UNC6384’s spear-phishing against Hungarian and Belgian entities, using obfuscated PowerShell in .LNK files to side-load PlugX via legitimate binaries.
The CVE assignment followed, with a CVSS score of 7.8 for local attack complexity requiring user interaction.
Microsoft reiterated it was not a vulnerability, emphasizing existing protections.
Microsoft Fix vs. 0-Patch Defense
Microsoft quietly addressed the UI misrepresentation around June 2025 rolled out gradually by expanding the Target field to display the whole string, restoring UI trust without acknowledging it as a security update.
Legitimate shortcuts created via Explorer remain under 260 characters. However, programmatic ones can exceed this, potentially complicating verification in a cramped field.
0-Patch took a proactive stance, releasing micropatches that block execution if Explorer opens a .LNK file with a Target path over 260 characters: it truncates the command and shows a warning.
This disrupts observed attacks without breaking valid programmatic shortcuts.
Coverage spans Windows 11/10 versions (22H2 to 1803), Windows 7, various Servers (2008 R2 to 2022), including end-of-support systems via ESU.
While Microsoft’s change aids inspection, 0-Patch prevents execution, offering stronger protection against in-the-wild samples.
Users should update Windows and consider third-party defenses for legacy systems.
