Microsoft has addressed a critical Windows LNK vulnerability (CVE-2025-9491) exploited by multiple threat actors, including state-sponsored groups, by silently implementing mitigation measures. The flaw, which allows attackers to hide malicious commands in shortcut files, has been actively exploited in zero-day campaigns involving malware like Trickbot and PlugX. #CVE-2025-9491 #EvilCorp #APT37 #MustangPanda
Keypoints
- The vulnerability CVE-2025-9491 affects how Windows handles LNK files, enabling code execution through manipulated shortcut files.
- Threat actors use archives like ZIP files to distribute malicious LNK files, tricking users into opening them.
- Microsoft has silently rolled out a mitigation by changing how LNK files display the Target field without providing a full fix.
- Unofficial patches from ACROS Security restrict malicious shortcuts to 260 characters, helping prevent attacks in the wild.
- Groups like Mustang Panda specifically exploited this flaw in zero-day attacks targeting European diplomats with PlugX RAT.