Despite Microsoft’s secret patch, LNK loophole remains viable for hackers to deliver malware

Published: 4 December 2025
Microsoft Windows, vulnerability
Image by Cybernews.

Hackers have been stuffing seemingly innocuous LNK files with malware, invisible to users, and Microsoft has been reluctant to plug this hole. In November, the tech company released a silent patch that does almost nothing to stop the attackers. A third-party service offers an alternative unofficial update.

State-sponsored hackers and other Windows attackers have long been delivering malware using bloated link (LNK) files, disguised as legitimate files, but containing malicious shell scripts or entire malware packages invisible to users.

Links can appear like legitimate apps or documents, such as PDFs, Word files, and others. The only recognizable difference is a little arrow on the lower-left side of the icon.

ADVERTISEMENT

Many times, Cybernews has reported on hackers delivering malware via these links. In the spring, the Trend Micro Zero Day Initiative (ZDI) identified 1,000 malicious LNK files crafted by state-sponsored hackers from North Korea, Iran, Russia, and China.

In the summer, a malicious campaign exploited LNK files to install a dangerous REMCOS backdoor. Later in the autumn, hackers targeted European diplomats using LNK files as a vehicle to deliver PlugX malware.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

Microsoft didn’t consider this a vulnerability, and only the missing UI representation of the LNK contents was classified as a bug, labeled CVE-2025-9491.

In November, the tech giant released a silent patch, as reported by 0patch, a third-party micropatching service by security firm ACROS Security.

However, the update merely makes malicious LNK instructions slightly more visible in file properties, where only tech-savvy users would typically ever look.

What does the patch change?

Previously, the LNK file’s “Target” field was limited to only entering 260 characters, and even fewer were immediately visible to users checking the file properties, despite attackers stuffing the files with megabytes of malicious commands.

ADVERTISEMENT
trojan-link-properties

After the November patch, the Properties dialog of the LNK file shows the entire Target command with arguments. But there’s still a problem.

“The theoretically-up-to-32k-character-long string is now shown in the same single-line field that can't even reveal an entire modest-sized command without selecting some text and moving the mouse left or right,” 0patch noted in a blog post.

“How much would showing all Target characters in a small field improve chances for victims targeted in actual attacks?”

Microsoft “does not consider this a vulnerability”

The Redmond giant released an advisory on addressing the “UI behavior,” in which it appreciates the security researchers’ reports, but determines that “it does not meet the bar for classification as a vulnerability.”

Has my data been leaked?
Check Now

Microsoft argues that users are warned several times when opening a LNK file.

“Microsoft Defender has detections in place to detect and block this threat activity, and the Smart App Control provides an extra layer of protection by blocking malicious files from the internet,” Microsoft said.

The company further explains that LNK files cannot be delivered over a browser, and attackers must package them into an archive first. User action is required to unzip and double-click the LNK file, which again produces “a warning stating that the file format is not trusted.” The victim must click through this prompt.

ADVERTISEMENT

“Windows identifies shortcut files as a potentially dangerous file type. Attempting to open a LNK file downloaded from the Internet automatically triggers a security warning advising users not to open files from unknown sources, and we strongly recommend heeding this warning,” Microsoft said.

0patch offers an actual but unofficial fix

0patch took matters into its own hands and released a separate patch to actually address the issue, as first reported by Bleeping Computer. If applied, it automatically truncates all the LNK files to only the first 260 “Target” characters.

“Our premise was that a legitimate non-malicious .lnk file that regular Windows users come across would be created manually and would therefore never have a Target with more than 260 characters,” the researchers explain.

Larger links can still be valid, as they’re sometimes created by legitimate apps. However, they are not meant for opening manually, the firm argues.

This simple approach neutralizes every one of over 1,000 malicious link files identified by Trend Micro.

“Microsoft's patch would only allow the most cautious among these users – who would probably not launch such shortcuts anyway – to see the entire malicious command string,” 0patch said.

However, to install this third-party patch, users need to create an account and download the 0patch agent. The unofficial patch appears to be available only to Pro and Enterprise users, however, the service offers a free trial.

ADVERTISEMENT

Unlock exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT