Security researcher Wietze Beukema has unveiled four previously undocumented techniques that manipulate Windows shortcut files to conceal malicious payloads. These methods exploit the complex binary structure of LNK files, introduced with Windows 95, allowing attackers to display one target in file properties while executing an entirely different program. By leveraging inconsistencies in how Windows Explorer prioritizes conflicting path data within optional shortcut structures, malicious actors can create highly deceptive files.
One effective approach uses forbidden path characters like double quotes to generate technically invalid yet functional paths. Another technique manipulates the EnvironmentVariableDataBlock, displaying a harmless fake target such as "invoice.pdf" while actually launching PowerShell or other malicious commands without any visible command-line arguments. These malformed shortcuts are processed forgivingly by Windows Explorer, showing spoofed information instead of rejecting the invalid files.
Beukema has released an open-source tool suite called "lnk-it-up" that generates test shortcuts using these methods and helps identify potentially malicious files by predicting discrepancies between displayed and executed targets. When the researcher reported the EnvironmentVariableDataBlock issue to Microsoft's Security Response Center in September, the company declined to classify it as a vulnerability. Microsoft argues that exploitation requires tricking users into opening files, which does not breach their security boundaries.
The company notes that Windows already flags internet-downloaded .lnk files with security warnings and that Microsoft Defender includes detections for such threat activity. However, this situation echoes CVE-2025-9491, a similar LNK spoofing flaw Microsoft initially refused to patch despite active exploitation by numerous state-sponsored groups and cybercrime gangs. That vulnerability was eventually addressed silently in June 2025 after widespread abuse by at least eleven hacking organizations targeting diplomats and other victims across multiple continents.
Read more...