Microsoft has recently addressed a critical vulnerability in Windows that had been lurking in the shadows for nearly eight years. This flaw, identified as CVE-2025-9491, allowed cybercriminals to conceal malicious commands from users examining files through the standard Windows interface. Surprisingly, the tech giant opted not to announce the fix publicly.
For almost a decade, Windows users were unknowingly exposed to a security risk that was actively exploited by state-sponsored hacking groups from countries such as China, Iran, North Korea, and Russia. The vulnerability, which affected the way Windows displayed .LNK (shortcut) files, enabled attackers to create seemingly harmless shortcuts that masked dangerous commands. Research from Trend Micro’s Zero Day Initiative revealed that 11 different government-backed teams had been leveraging this security hole since 2017, transforming what should have been innocuous shortcut files into potent attack vectors.
Security researchers identified nearly 1,000 malicious shortcut files that exploited this flaw across various offensive campaigns over the years.
Microsoft’s dismissal of active threats
The manner in which Microsoft responded to this vulnerability raises questions about the company’s security priorities. Initially, when researchers reported the flaw, Microsoft stated it “does not meet the bar for immediate servicing,” indicating that it would be addressed in a future release rather than through urgent updates. The flaw itself was deceptively simple; Windows displayed only the first part of malicious commands, obscuring the more dangerous elements that followed. Security firm 0patch explained that while .LNK files can contain lengthy Target arguments, the Properties dialog only reveals the first 260 characters, allowing attackers to hide harmful PowerShell commands beyond that limit.
As evidence of widespread exploitation mounted, Microsoft was compelled to act. The XDSpy cyber espionage group utilized the vulnerability to distribute malware targeting Eastern European government entities, while Chinese-affiliated threat actors recently weaponized it to attack European diplomatic offices with PlugX malware.
Diplomatic secrets stolen
Recent attacks have showcased the vulnerability’s alarming potential for espionage. The Chinese threat group UNC6384 executed a sophisticated campaign against European diplomatic entities during September and October, exploiting CVE-2025-9491 to deliver the notorious PlugX remote access trojan. Diplomats, believing they were opening meeting agendas, inadvertently exposed state secrets. Spearphishing emails, crafted around legitimate diplomatic events such as European Commission meetings or NATO summits, contained malicious .LNK files that appeared entirely benign when inspected through Windows’ interface. Behind the scenes, obfuscated PowerShell commands executed automatically, extracting three crucial components: a legitimate Canon printer utility, a malicious DLL, and an encrypted PlugX payload.
Arctic Wolf documented these precise attacks against European diplomats, revealing that the campaign ultimately distributed PlugX through DLL side-loading techniques. The malware established persistent access via registry modifications and communicated with command-and-control servers over HTTPS, enabling ongoing intelligence collection from high-value diplomatic networks across Hungary, Belgium, Serbia, Italy, and the Netherlands.
Eight years later, Microsoft fixes it quietly
In November 2025, Microsoft included a fix for this vulnerability in its Patch Tuesday updates, although it was not listed among the 63 officially patched vulnerabilities. The solution now displays the entire Target command with arguments in the Properties dialog, regardless of length—a straightforward adjustment that took eight years to implement. Users are encouraged to check Windows Update, as this fix was discreetly integrated into routine updates without any fanfare.
The implications of this vulnerability extend beyond its immediate fix. Research from Trend Micro in March indicated that nearly 70% of campaigns exploiting this flaw were focused on espionage and information theft across various sectors, including government, finance, telecommunications, and energy. Organizations are urged to implement defensive measures promptly, ensuring systems receive the latest updates. Security experts recommend blocking known command-and-control domains, conducting threat hunting for Canon printer binaries in unusual locations, and disabling automatic resolution of .LNK files for users accessing sensitive data.
The FBI warns that holiday scammers are increasingly targeting email, social media, fake sites, delivery alerts, and calls, with new data indicating a rise in losses and complaints.
