Overview
- November 2025 Windows updates now display the entire Target command in .lnk file Properties, removing the previous 260‑character cutoff identified as central to CVE-2025-9491 exploitation.
- Microsoft has not issued a formal security advisory for this change and previously said the issue did not meet the bar for immediate servicing due to required user interaction.
- ACROS Security’s 0patch released an unofficial micropatch that limits shortcut Target strings to 260 characters and warns users when opening unusually long shortcuts.
- Attackers abuse whitespace padding in .lnk Targets to hide malicious arguments and execute code when users open booby‑trapped shortcuts, frequently delivered inside ZIP archives to bypass attachment blocks.
- Researchers have documented active use of the technique since at least 2017 by multiple state‑sponsored and criminal groups, with observed payloads including PlugX, Ursnif, Gh0st RAT, Trickbot and XDigo.