Nation-state actors and cybercrime gangs abuse malicious .lnk files for espionage and data theft

Trend Micro’s Zero Day Initiative (ZDI) reports that at least 11 state-sponsored APTs and cybercrime groups are actively abusing a Windows Shell Link (.lnk) zero-day (ZDI-CAN-25373) to hide and execute malicious commands, with roughly 1,000 malicious .lnk samples discovered. The technique abuses UI misrepresentation (CWE-451) by padding .lnk files to hide command-line arguments, enabling stealthy delivery of various malware payloads across government, financial, telecom, military and energy sectors worldwide; Microsoft was notified but declined to issue a patch.