For 8 years, Microsoft said this wasn't a vulnerability. 11 nation-state hacking groups disagreed. Microsoft quietly patched it anyway. Without telling anyone. CVE-2025-9491. The Windows shortcut trick that fooled everyone.Every Windows shortcut file (.lnk) has a Target field. When you right-click and check Properties, Windows shows you what the shortcut actually runs.Except it doesn't.Windows only displays the first 260 characters. But the actual command can be up to 32,000 characters long. Attackers discovered they could pad the beginning with whitespace characters. Spaces. Tabs. Line feeds. Push all the malicious code past what you can see.You check Properties. You see nothing suspicious. You double-click. Game over. Attacker creates .lnk file that looks like a PDF or Word document Target field starts with thousands of invisible whitespace characters Malicious PowerShell commands hidden after the whitespace You check Properties, see nothing dangerous You open it, malware executesEven if you select all and scroll? You still can't see it. The UI simply cuts off at 260 characters.Who's been using this since 2017? 11 state-sponsored APT groups Nearly 1,000 malicious samples discovered Targets: governments, military, energy, telecommunications, diplomatsTrend Micro's Zero Day Initiative reported this to Microsoft in March 2025.Microsoft's response: "Does not meet the bar for immediate servicing."Translation: We don't consider this a vulnerability worth fixing.They even published an advisory saying users are "warned several times" before opening .lnk files. That's technically true. But when you check the file and see nothing malicious? You trust it.
The timeline: 2017: First attacks detected using this technique March 2025: Trend Micro publicly discloses the issue March 2025: Microsoft refuses to patch October 2025: Attackers use it against European diplomats December 2025: Security researchers notice the fixNo security advisory. No CVE acknowledgment. Just... fixed.Arctic Wolf documented attacks against Hungarian and Belgian diplomatic entities in September and October 2025. The attackers sent .lnk files disguised as European Commission meeting agendas. Real diplomatic events. Real meeting dates. Perfect social engineering.The malware? PlugX. A remote access trojan that's been around since 2008. Still effective because it keeps evolving.0patch created their own fix that actually blocks these attacks. Their approach: if a shortcut has more than 260 characters in the Target field, warn the user before execution. Microsoft's fix just shows the entire string in a tiny field you can barely read.Check if you're protected: Windows 11: Install November 2025 updates Windows 10: Only patched if you registered for Extended Security Updates (free for 1 year since October 2025). Many users are no longer receiving patches. Windows Server 2016/2019/2022: Microsoft did NOT patch these. Still vulnerable.The real lesson here?You can't trust the Windows UI to show you what files actually do. Security researchers and nation-state hackers knew this for 8 years. Microsoft knew too. They just didn't think it mattered.
Thanks, chatgpt
>>107498070ChatGPT wishes it could type like that
Takes a special kind of retard to receive a <1kb .lnk file and think it's a fucking pdf
>>107498054How do I unfollow this LinkedIn post
>>107498059Windows Server wont get patched because Monero feds need it to perpetuate their malware fueled, fake privacy ponzi
>>107498054Poo's Law #1: The Indian Hindu rape rat always lies, always. Even when there is no gain from lying, they will lie. Reality is always the opposite of whatever the Indian Hindu rape rat says.
>>107498113it doesn't because it can.
>>107498250> india is seen abroad as a place that produces high-caliber tech talentsi wonder who they asked lmao.
>>107498054>needs physical access to a mouse or keyboard to run the malwareNothingburger, as usual
>>107498054Looks like using ansi escape codes to hide the string.We were doing that shit on c64s to prevent listing basic programs.This is stupid.
>>107498054maybe because opening a .lnk file is proof of 67 IQ-tier retardation. the same people would open a .exe with a pdf icon. for once i'm on microsoft's side and not "information security experts" jerking each other's dicks for clout
I thought this existed before 2017?
>>107500607(me)As in, I'm pretty sure this has been 'known' for a while, and not just by APTs/top TAs....As in I want to say I had some awareness of this vuln, like 2022, looking at roshtyak
>>107498054>relies on me manually opening up a shortcut someone sent meeven if you're a retarded roastie who has visible extensions turned off there would still be the little arrow icon denoting that it is an extension. even people dumb enough to be fooled would see it and go "you e-mailed me the shortcut lol"
>>107500607yeah, i remember this being a common way to prank people in "computer class" in high school
>>107498054here you go bro another oneyou should report this windows is finished and bankrupt!
>ai-obsessed techbro linkedin lunatics are actually scared of picrel>>107500673i would do it, he asked so politely
>>107498054why even pad it if you're opening up powershell. anyone who would notice the shortcut is "powershell.exe [bunch of code]" would also notice that the target is fucking blank but selectable so surely some shenanegains are happening (and who the fuck sends people shortcuts)also any IT department worth anything would not let you run ps as admin and have execution policies precluding random users changing anything importantthis is literally on par with "someone can send you a script and tell you to run it" (which i guess did pwn enough random twitch and discord users that they have warnings about it now, but still)
microsoft badvirus scary
>>107500745to you and everyone else saying>lmao idiotsyes, and idiots are the ones who open the phishing email -> run the LNK -> LNK opens actual PDF/app -> Dropper runs in background -> compromised.Don't need admin, just need a comms channel and an inside hop point. Pilfer slack/cookies, -> SE a coworker/login to company SSO, who cares about lsass?
>>107500861>lol just LE PIVOT XD!!your computer gets flagged instantly for attempting to run obvious malware and is disconnected from the network because it is no longer 1999
>>107500861>open the phishing email>open the phishing email -> run the LNK -> LNK opens actual PDF/app -> Dropper attempts to run -> gets flagged -> you get fired
>>107498054
>>107498054literally nobody uses windblows anymore
To all the idiots going 'lol just don't be a retard' please start living in the real world where this method of attack worked very well for many years.To those of you who suck MS dick. You're not part of their team, you're just a loser, stop stanning those freaks.
the real solution is to just treat .lnk files as executable and subject them to the same security precautions as .exe and .bat files.all this bullshit about the hidden target field is a total red herring - 99% of users won't check or won't understand whatever powershell script is in there anyway. all you need is to treat the .lnk as an executable file.
>BigTitsOnlyFansWhores.mp4.lnk>Fell for it
>>107498054>You see nothing suspicious.You see NOTHING AT ALL, how the fuck is that "nothing suspicious" to you?
