The number of ways that Windows shortcut (.LNK) files can be abused just keeps growing: A cybersecurity researcher has documented four new techniques to trick Windows users into running malicious actions through innocent-looking shortcuts.
Wietze Beukema demonstrated how to spoof the visible LNK destination, hide command-line arguments, and execute a different program than the one shown to the user, potentially offering attackers new vectors for phishing, USB-borne attacks, or initial access operations.
The disclosure adds to longstanding concerns about a flaw in LNK handling that has been repeatedly exploited by threat actors yet has proven difficult to fully eliminate.
Although Microsoft did not immediately respond to a request for comment on the disclosure, it has previously acknowledged risks in this area through security guidance, including a November 2025 advisory.
Until now, Microsoft has always stopped short of classifying Windows’ behavior with LNK files as a conventional “vulnerability,” but the sheer number of exploits that Beukema has demonstrated makes Microsoft’s position that this is just a UI issue harder to defend.
Bait and switch
Windows shortcuts serve as pointers to programs or documents, but they can store more than simple file paths. The LNK files can specify command-line arguments, working directories, icons, and other execution parameters, effectively acting as a launcher.
Beukema identified multiple previously undisclosed ways to create mismatches between what a Windows shortcut appears to target and what it actually launches. Because the LNK format allows the target path to be stored in several structures, including the “TargetIDList”, “EnvironmentVariableDataBlock”, and “LinkInfo” fields, Windows must choose which value to trust. That decision process can be manipulated.
According to Beukema, under normal conditions, Windows Explorer prioritizes the EnvironmentVariableDataBlock entry when both it and the TargetIDList are present, displaying and executing that path. However, if the Environmental Variable path is a syntactically invalid Windows file path, Explorer still displays it in the Properties dialog but silently falls back to the hidden TargetIDList path at runtime.
This allows a shortcut to present a harmless-looking destination while executing a different program entirely.
Additionally, Beukema-disclosed flaws exploit other fallback behaviors arising from conflicting metadata. If an EnvironmentVariableDataBlock is present but the LinkTargetIDList is non-matching, Windows instead runs the executable from the LinkInfo structure while continuing to display the Environment Variable path.
In a variant on this exploit, supplying only the ANSI target value while leaving the paired Unicode field empty causes Explorer to treat the data as inconsistent. It displays a different path from the LinkTargetIDList, disables the editable Target field, and hides arguments. Yet the concealed ANSI path is executed.
Together, these behaviors can potentially enable attackers to spoof the visible target, conceal the real one, and mislead users into launching unintended programs.
Hidden command-line arguments
Beyond target spoofing, Beukema demonstrated a technique for hiding malicious command-line instructions behind legitimate executables. LNK files can launch trusted Windows binaries while passing attacker-controlled instructions through embedded arguments, enabling “living-off-the-land” (LOLBINs) execution without pointing directly to malware.
According to the researcher, this can be done by manipulating the input passed into certain fields within the LNK “ExtraData” section that determines additional target metadata. Enabling the “HasExpString” flag and configuring the “EnvironmentVariableDataBlock” with “TargetANSI/TargetUnicode” fields filled with null bytes produces what he described as “unexpected” results.
“First, it disables the target field, meaning the target field becomes read-only and cannot be selected,” Beukema said. “Secondly, it hides the command-line arguments; yet when the LNK is opened, it still passes them on.” The behavior can be exploited to launch a harmless system component while secretly executing arbitrary commands like downloading payloads or running scripts.
According to the disclosure, this is a better approach attackers than exploiting CVE-2025-9491 because it is harder to detect due to the absence of visible, padded command lines.
Beukema noted that this technique, like the others he described, relies on Windows’ normal shortcut handling rather than being patchable bugs, meaning mitigation largely depends on treating untrusted LNK files as potentially dangerous and preventing users from opening them. “Microsoft argues that as it requires the user to do something, without breaking any security boundaries, it is not a security vulnerability,” he said. “This is not entirely unreasonable as ultimately, most of these boil down to being UI bugs.”
No Responses