A long-standing vulnerability in Windows shortcut files (LNK) is being actively exploited by state-sponsored hacking groups to launch cyberattacks against government entities and diplomats, according to new security reports. The flaw, tracked as CVE-2025-9491, allows attackers to hide malicious code within the seemingly harmless shortcut icons used daily by millions of users.
Despite the growing number of attacks, Microsoft has reportedly decided not to release a direct patch for the issue, citing the risk of breaking legitimate operating system functionality.
Windows LNK files are typically used to point to applications or documents. However, they can also be configured to execute system commands. The vulnerability lies in how Windows displays these file properties to the user.
While the Windows user interface only displays the first 255 characters of a shortcut’s target path, the file format itself supports up to 4,096 characters. Attackers exploit this gap by “padding” their malicious commands with extensive whitespace. When a user inspects the file properties, they see a benign path, but the hidden malicious arguments—such as PowerShell scripts that download malware—execute immediately upon opening the file.
Security researchers have linked this technique to high-profile espionage campaigns. One group, tracked as XDSpy, has targeted government agencies in Eastern Europe. In these attacks, the group utilized LNK files to trigger a legitimate, Microsoft-signed executable. This executable then sideloaded a malicious DLL file to install the “XDigo” payload, which is capable of stealing sensitive data, capturing screenshots, and logging keystrokes.
Another threat actor, identified as UNC6384, has been observed targeting European diplomats. This group uses similar whitespace-padding tactics to hide PowerShell commands that deploy the PlugX remote-access trojan, a tool commonly associated with Chinese cyber-espionage operations. Reports indicate these attacks have been used to compromise systems in Hungary, Belgium, and other NATO-aligned nations.
According to reports from Help Net Security, Microsoft has determined that this specific vulnerability “did not meet the bar for servicing.” The company’s stance is that the ability for shortcuts to launch programs with arguments is a fundamental feature of the Windows operating system, and altering this behavior could disrupt legitimate software.
Instead of a code fix, Microsoft is relying on its security ecosystem to mitigate the threat. The company states that Microsoft Defender is capable of flagging malicious shortcuts, and its Smart App Control feature can block untrusted files downloaded from the internet.
Security experts advise users to treat LNK files with the same caution reserved for executable (.EXE) files, especially when they arrive via email or inside ZIP archives. Because the Windows interface may not reveal the full danger of a file, visual inspection is no longer a reliable safety measure.
For enterprise environments, security teams are recommended to configure policies such as AppLocker to restrict shortcut files from launching command-line tools like PowerShell. For individual users, keeping antivirus software up-to-date remains the primary line of defense against these “zero-click” or single-click execution attacks.
