At the Wild West Hackin’ Fest, security researcher Wietze Beukema unveiled a series of vulnerabilities tied to Windows LK shortcut files, which could potentially allow attackers to deploy harmful payloads. Beukema’s findings include four previously undocumented techniques that manipulate these shortcut files, effectively obscuring malicious targets from users who might inspect file properties.
Since their introduction with Windows 95, LNK shortcuts have utilized a complex binary format, enabling the creation of deceptive files that appear legitimate within Windows Explorer’s properties dialog. However, when executed, these files can run entirely different programs.
The vulnerabilities discovered hinge on inconsistencies in how Windows Explorer prioritizes conflicting target paths specified across various optional data structures within shortcut files. The most effective methods exploit forbidden Windows path characters, such as double quotes, to create seemingly valid yet technically invalid paths. This manipulation leads Explorer to display one target while executing another. Another technique involves using non-conforming LinkTargetIDList values to execute a path that differs from what is shown in the LinkInfo field.
As Beukema explained, “This results in the strange situation where the user sees one path in the Target field, but upon execution, a completely different path is executed. Due to the field being disabled, it is also possible to ‘hide’ any command-line arguments that are provided.”
The most sophisticated technique identified by Beukema involves altering the EnvironmentVariableDataBlock structure within LNK files. By populating only the ANSI target field and leaving the Unicode field empty, attackers can present a misleading target, such as “invoice.pdf,” in the properties window while executing malicious commands like PowerShell in the background.
[embedded content]
Beukema elaborated, “Opening the LNK executes the ‘actual’ target immediately, without needing to open it twice. Additionally, because in this case the spoofed target is in TargetIdList and the actual target in EnvironmentVariableDataBlock, the actual target may utilize environment variables.” He further noted that “the target program/file/directory is completely spoofed,” making detection exceedingly challenging for users.
This situation arises because Windows Explorer tends to treat malformed LNK shortcuts leniently, displaying spoofed information instead of rejecting invalid files outright. To assist in addressing these vulnerabilities, Beukema has released “lnk-it-up,” an open-source tool suite designed to generate Windows LNK shortcuts using these techniques for testing purposes, as well as to identify potentially malicious LNK files by predicting what Explorer displays versus what actually executes.
MSRC: Not a vulnerability
Upon submitting the EnvironmentVariableDataBlock issue to the Microsoft Security Response Center in September (VULN-162145), Microsoft declined to classify it as a security vulnerability. The company argued that exploitation necessitates user interaction and does not breach security boundaries.
“These techniques do not meet the bar for immediate servicing under our severity classification guidelines as they require an attacker to trick a user into running a malicious file,” a Microsoft spokesperson stated to BleepingComputer when questioned about potential remedies for the flaws. “Microsoft Defender has detections in place to identify and block this threat activity, and Smart App Control provides an additional layer of protection by blocking malicious files from the Internet. As a security best practice, we strongly encourage customers to heed security warnings and avoid opening files from unknown sources.”
Microsoft also emphasized that Windows recognizes shortcut files (.lnk) as potentially dangerous. When attempting to open a .lnk file downloaded from the Internet, a security warning is automatically triggered, advising users against opening files from unknown sources. The company strongly recommends adhering to this warning.
However, Beukema pointed out that “there is a reason attackers still like LNK files – users quickly click through these sorts of warnings. Otherwise, CVE-2025-9491 wouldn’t have been as ‘successful’ as it was either.”
CVE-2025-9491, the security vulnerability referenced by the researchers, shares similarities with the issues Beukema uncovered and can be exploited to conceal command-line arguments through excessive whitespace padding. Cybercrime groups and state-sponsored hacking entities from North Korea, Iran, Russia, and China have been leveraging this security flaw for years in zero-day attacks.
Initially, Microsoft stated that CVE-2025-9491 did not breach security boundaries and opted not to address the issue. However, in June 2025, the company silently modified LNK files in what appeared to be an effort to mitigate this actively exploited vulnerability.
Trend Micro threat analysts revealed in March 2025 that CVE-2025-9491 was already being widely exploited by at least 11 state-sponsored groups and cybercrime organizations, including Evil Corp, Bitter, APT37, APT43 (also known as Kimsuky), Mustang Panda, SideWinder, RedHotel, Konni, among others.
Furthermore, cybersecurity firm Arctic Wolf reported in October that the Mustang Panda Chinese state-backed hacking group was exploiting this Windows vulnerability in zero-day attacks targeting European diplomats in Hungary, Belgium, and other nations to deploy the PlugX remote access trojan (RAT) malware.
