Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Redazione RHC : 6 December 2025 19:27
Experts have discovered that in the summer of 2025, Microsoft patched a dangerous vulnerability in Windows that had been actively exploited by at least 11 hacker groups, including North Korean APTs and large groups like Evil Corp.
This is CVE-2025-949, which allowed attackers to hide malicious commands within LNK files and execute malware undetected on a compromised device.
The root of the problem lies in the way Windows handles LNK links. Attackers padded the Target field in the LNK file with spaces to hide malicious command line arguments .
The file properties only show the first 260 characters of the Target field, while the rest remains hidden. As a result, the user sees a harmless command, but double-clicking the shortcut launches the malware .
Hacker groups have actively exploited this trick. Trend Micro analysts have discovered that CVE-2025-9491 has been exploited by at least 11 groups, including North Korea’s APT37 , APT43 (also known as Kimsuky), Mustang Panda, SideWinder, RedHotel, and Konni, as well as cybercriminals Evil Corp and Bitter .
” The attacks used various payloads and downloaders: Ursnif, Gh0st RAT, Trickbot. MaaS (malware-as-a-service) platforms further complicated the situation ,” Trend Micro notes.
As recently reported by Arctic Wolf and StrikeReady, the Chinese hacker group Mustang Panda even exploited this vulnerability as a zero-day and used it in attacks against European diplomats in Hungary, Belgium, and other EU countries. The attackers then deployed the PlugX RAT malware on their victims’ systems.
In March 2025, Trend Micro analysts reported to Microsoft developers that the CVE-2025-9491 vulnerability was being actively exploited. However, the vendor responded that it would only “consider” fixing the bug, emphasizing that the vulnerability did not meet the criteria for an immediate fix.
Additionally, in November, Microsoft representatives issued a further clarification stating that the issue should not be considered a vulnerability, ” given the required user interaction and the fact that the system warns about the untrusted file format .”
However, as Mitja Kolsek, head of Acros Security and co-founder of 0patch, reported , Microsoft recently quietly changed the behavior of LNK files. Kolsek says that after the June updates (although the patch appears to have been rolled out gradually), users see all characters in the Target field when opening LNK file properties, not just the first 260.
Kolsek noted that this isn’t a fully functional solution. The problem is that malicious LNK file arguments persist, and users still don’t receive warnings when opening a link with an excessively long target string.
While waiting for Microsoft to release a full patch, Acros Security has released an unofficial fix via its 0Patch platform. The micropatch limits all target strings in shortcuts to 260 characters and warns users of the potential danger of opening files with excessively long strings.
” While it is possible to create malicious shortcuts with fewer characters, we believe that stopping real-world attacks that have already been discovered could significantly benefit those targeted by hackers ,” Kolsek says.
The unofficial patch is available to 0patch users with PRO and Enterprise subscriptions running Windows versions from Windows 7 to Windows 11 22H2, as well as Windows Server 2008 R2 to Windows Server 2022.
Redazione