Microsoft has released a patch addressing a critical Windows LNK vulnerability that has been actively exploited worldwide. This vulnerability in shortcut files allowed attackers to deliver malware without triggering security warnings, posing a significant threat to users.
Threat Actors' Exploitation
The flaw allowed cybercriminals to embed malicious commands in the shortcut files' Target field, masquerading as harmless content. Upon opening these files, the hidden commands executed with user privileges, allowing malware installation. Major threat groups such as EvilCorp, APT37, and Mustang Panda leveraged this vulnerability to distribute harmful software like Ursnif and Trickbot.
Trend Micro researchers identified the issue in March 2025, but Microsoft delayed the patch, contending that existing warnings sufficed. Threat actors exploited a Mark-of-the-Web loophole to bypass these defenses.
Security Recommendations
Security experts advise against interacting with questionable .lnk files. Enterprises should enforce stringent email and file filtering and disable shortcut execution from untrusted sources. Applying Microsoft's security updates, educating employees on handling unexpected attachments, and using advanced endpoint protection are essential measures.
Monitoring abnormal shortcut file behavior on networks can mitigate potential threats, helping organizations safeguard against similar vulnerabilities.
