Malware News Malicious zip files use Windows Shortcuts to drop malware

[Parkinsond]

Yes, in this example. Of course, the attackers are not obliged to use PowerShell. Similar attacks can be done by using other script engines and some LOLBins.
PowerShell is the most popular.

Blocking internet connection to LOLBins using WHHL package is enought to abort the execution or have to disable all of them one by one similar to PowerShell?

 

[EASTER]

Attackers are actively exploiting this vulnerability in Windows for which no security update is available, according to security firm Arctic Wolf. The vulnerability is believed to have been used in attacks against European diplomats, including those in Belgium. The vulnerability (CVE-2025-9491) occurs during the processing of .LNK files. Specially crafted data within the .LNK file prevents dangerous command line arguments from being visible when users inspect the file.

Why does MS not address this.

Good Question- The cmdlines zinging out from PS after .LNK launch- Below is similar example of sorts but different in that a copy of PowerShell is plopped into User Arena to launch cmd codes from it. Tricky but seemingly catchable if the chain progress is snagged before the called out URL. @NoVirusThanks good example of the OnlineArmor coverage vector. One of many with that highly configurable program.

@Andy Ful

However, it seems that in this particular attack, PowerShell CmdLines are used directly from the shortcut (no script file)

Detection: Despite fixing this in build# 16232, it is still possible to execute this by executing a DLL hijack using the old, vulnerable AMSI DLL. For detection, it would be ideal to monitor (via command line logging, etc.) for any binaries (wscript, cscript, PowerShell) that are executed outside of their normal directories. Since the bypass to the fix requires moving the binary to a user writeable location, alerting on these executing in non-standard locations would catch this.

Bypassing AMSI via COM Server Hijacking

All aspects above are spot on. Problem is the same old song and dance of users rushing to open a shortcut (i assume blindly assuming the local machine's protection solution will reliably prevent from any issue)

This feels like a return to Windows XP or earlier all over again where .LNK shortcuts are the fast draw nemesis even in 2025. The somewhat dated article i referenced is still worth study when following today's recent exploits.

 

[Andy Ful]

Blocking internet connection to LOLBins using WHHL package is enought to abort the execution or have to disable all of them one by one similar to PowerShell?

In similar attacks, WHHLight blocks shortcuts, so LOLBins are not executed.

Blocking only the Internet connections of LOLBins (shortcuts not blocked) could prevent many attacks, such as the example from the OP, However, in the example from your post (Arctic Wolf Labs), there are no such connections. The attackers embedded all payloads in the ZIP archive.

 

[Parkinsond]

In similar attacks, WHHLight blocks shortcuts, so LOLBins are not executed.

Blocking only the Internet connections of LOLBins (shortcuts not blocked) could prevent many attacks, such as the example from the OP, However, in the example from your post (Arctic Wolf Labs), there are no such connections. The attackers embedded all payloads in the ZIP archive.

Take home message: Do not launch shortcut you did not create yourself.

 

[Andy Ful]

All aspects above are spot on. Problem is the same old song and dance of users rushing to open a shortcut (i assume blindly assuming the local machine's protection solution will reliably prevent from any issue)

Yes. Even Microsoft finally noticed that there is no reason to allow running shortcuts downloaded from the Internet. They are blocked by Smart App Control.

 

[Trident]

Take home message: Do not launch shortcut you did not create yourself.

They are usually masked as documents, etc.

A lot of sophisticated attacks and APTs have relied on shortcuts.

I’ve implemented cleanup in my tools.

 

[Parkinsond]

They are usually masked as documents

File properties is the best friend of careful user.

 

[nicolaasjan]

Microsoft Silently Patched CVE-2025-9491​

Microsoft's Patch​

However, we noticed something did change with November Windows Updates: now, the Properties dialog of a .lnk file shows the entire Target command with arguments, no matter how long it is. The theoretically-up-to-32k-character-long string is now shown in the same single-line field that can't even reveal an entire modest-sized command without selecting some text and moving the mouse left or right. But okay, at least one can select all, copy and paste the string to a text editor.
The issue was apparently demoted from vulnerability to functional bug, silently fixed without an advisory, and trust in the user interface was restored.
Arguably, if the problem was defined as "The properties dialog does not always show exactly what will be executed," it would indeed have been resolved. But this approach was weird: namely, it has always been the case that the "ordinary" way to create or modify a Windows shortcut - via Explorer user interface - only allowed you to enter up to 260 characters to the Target field. The only way for this string to be longer is to create the shortcut programmatically, e.g. using Windows API. (And some application may be creating such legitimate shortcuts for its own use.) So how much would showing all Target characters in a small field improve chances for victims targeted in actual attacks?

 

[TairikuOkami]

For 8 years, Microsoft said this wasn't a vulnerability. 11 nation-state hacking groups disagreed. Microsoft quietly patched it anyway. Without telling anyone.

CVE-2025-9491. The Windows shortcut trick that fooled everyone.
Every Windows shortcut file (.lnk) has a Target field. When you right-click and check Properties, Windows shows you what the shortcut actually runs.
Except it doesn't.
Windows only displays the first 260 characters. But the actual command can be up to 32,000 characters long. Attackers discovered they could pad the beginning with whitespace characters. Spaces. Tabs. Line feeds. Push all the malicious code past what you can see.
You check Properties. You see nothing suspicious. You double-click. Game over.
→ Attacker creates .lnk file that looks like a PDF or Word document
→ Target field starts with thousands of invisible whitespace characters
→ Malicious PowerShell commands hidden after the whitespace
→ You check Properties, see nothing dangerous
→ You open it, malware executes
Even if you select all and scroll? You still can't see it. The UI simply cuts off at 260 characters.
Who's been using this since 2017?
→ 11 state-sponsored APT groups
→ Nearly 1,000 malicious samples discovered
→ Targets: governments, military, energy, telecommunications, diplomats
Trend Micro's Zero Day Initiative reported this to Microsoft in March 2025.
Microsoft's response: "Does not meet the bar for immediate servicing."
Translation: We don't consider this a vulnerability worth fixing.
They even published an advisory saying users are "warned several times" before opening .lnk files. That's technically true. But when you check the file and see nothing malicious? You trust it.
The timeline:
→ 2017: First attacks detected using this technique
→ March 2025: Trend Micro publicly discloses the issue
→ March 2025: Microsoft refuses to patch
→ October 2025: Attackers use it against European diplomats
→ December 2025: Security researchers notice the fix
No security advisory. No CVE acknowledgment. Just... fixed.
Arctic Wolf documented attacks against Hungarian and Belgian diplomatic entities in September and October 2025. The attackers sent .lnk files disguised as European Commission meeting agendas. Real diplomatic events. Real meeting dates. Perfect social engineering.
The malware? PlugX. A remote access trojan that's been around since 2008. Still effective because it keeps evolving.
0patch created their own fix that actually blocks these attacks. Their approach: if a shortcut has more than 260 characters in the Target field, warn the user before execution. Microsoft's fix just shows the entire string in a tiny field you can barely read.
Check if you're protected:
→ Windows 11: Install November 2025 updates
→ Windows 10: Only patched if you registered for Extended Security Updates (free for 1 year since October 2025). Many users are no longer receiving patches.
→ Windows Server 2016/2019/2022: Microsoft did NOT patch these. Still vulnerable.
The real lesson here?
You can't trust the Windows UI to show you what files actually do. Security researchers and nation-state hackers knew this for 8 years. Microsoft knew too. They just didn't think it mattered.
This is exactly why ethical hackers exist. We find these problems. We report them. And when vendors won't fix them, we make noise until they do.
I cover phishing attacks, malware analysis, and real penetration testing scenarios in my ethical hacking course. You'll learn to think like an attacker so you can defend against them.
→ https://www.udemy.com/.../ethical-hacking-complete.../...
(The link supports me directly as your instructor!)
Nation-state hackers exploited this for 8 years.
Microsoft called it "low severity."
Your antivirus probably missed it too.

#EthicalHacking #Windows #CVE20259491 #CyberSecurity #Malware #InfoSec #APT #NationStateHackers #MicrosoftSecurity #SocialEngineering #HackingPassion
Research & writing: Jolanda de Koff | HackingPassion.com
Sharing is fine. Copying without credit is not.

It just popped up on my FB, a nice sum up.

 

[Victor M]

RunDLL32 is a LoLbin. Sure it runs less than a handful of control panel applets, but one seldom touch those and can be safely blocked, IMHO.

The other choice is to monitor it, and how many of us has the time/resources to monitor for whenever rundll32 is used ?