Phishing

Windows LNK exploits allow malicious payload deployment

Laptop Screen Warning Alert: Cyber Attack, Virus, Malware, Spyware, System Hacked

Security researcher Wietze Beukema has disclosed four weaknesses in Windows LNK shortcut files that can be exploited by attackers to deploy malicious payloads. These techniques manipulate LNK files to hide malicious targets from users inspecting file properties, allowing for deceptive execution of different programs than what appears to be targeted, as reported by Bleeping Computer.

The attack methods exploit inconsistencies in how Windows Explorer prioritizes conflicting target paths within LNK files. Attackers can use forbidden characters or manipulate data structures like EnvironmentVariableDataBlock to display a benign target, such as "invoice.pdf," in file properties while executing malicious code like PowerShell. Beukema has released an open-source tool, "lnk-it-up," to help test and identify these malicious LNK files. Microsoft, however, has declined to classify these as vulnerabilities, stating that exploitation requires user interaction and does not breach security boundaries. Despite this, Microsoft Defender and Smart App Control offer some protection, and the company advises users to heed security warnings and avoid opening files from unknown sources.

While Microsoft does not consider these specific findings to be vulnerabilities, the underlying techniques are similar to CVE-2025-9491, a flaw that has been actively exploited by multiple state-sponsored groups and cybercrime gangs for years, Beukema says. 

Source: Bleeping Computer

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds