TL;DR

  • A Windows shortcut (.LNK) zero-day (ZDI-CAN-25373) has been exploited by at least 11 state-sponsored groups since 2017 — spanning North Korea, Iran, Russia, and China [1].
  • Nearly 1,000 malicious .LNK samples are in the wild, targeting governments, military, financial, and telecom organizations across six continents [5].
  • Microsoft classified the flaw as "not meeting the bar for servicing" — no patch is coming [2].
  • You can protect your business today with endpoint controls, training, and file-handling policies — no vendor patch required.

What Is the Windows .LNK Zero-Day and Why Should Business Owners Care?

A Windows shortcut (.lnk) is a signpost on your desktop pointing to a program or document. ZDI-CAN-25373 lets attackers tamper with that signpost so it secretly triggers hidden commands when you follow it [1]. Attackers craft .lnk files that conceal dangerous command-line arguments behind megabytes of invisible whitespace. Windows displays what looks like a normal shortcut, but buried under the padding is a payload that downloads malware, opens a backdoor, or exfiltrates data. The malicious arguments are pushed far beyond what the UI can display, so users and many security tools never see them [1] [3]. Trend Micro's ZDI has tracked nearly 1,000 malicious .lnk

artifacts in the wild [5]. This has been in active use for close to a decade.​‌‌‌​‌‌‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​‌​​‍​‌‌​‌‌‌‌‍​‌‌‌​‌‌‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​‌‌​​‍​‌‌​‌‌‌​‍​‌‌​‌​‌‌‍​​‌​‌‌​‌‍​‌‌‌‌​‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌‌‌‌‍​​‌​‌‌​‌‍​‌‌​​‌​​‍​‌‌​​​​‌‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​​‌‌​​​‌‍​​‌‌​​​‌‍​​‌​‌‌​‌‍​‌‌​‌‌‌​‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌​‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌‌​‌​‌‍​‌‌​‌‌‌​‍​‌‌‌​​​​‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌​​​‌‌‍​‌‌​‌​​​‍​‌‌​​‌​‌‍​‌‌​​‌​​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌​​‌‌‌‍​‌‌‌​‌​‌‍​‌‌​‌​​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌

[Related: What Is Zero-Day Vulnerability Management and Why SMBs Need It]

Who Is Exploiting ZDI-CAN-25373?

At least 11 state-sponsored groups have used this vulnerability [1] [6], including Evil Corp (Russia), Kimsuky and Konni (North Korea), Bitter (South Asia), and multiple APT clusters tied to China and Iran [9] [10]. Some focus on espionage, others on financial theft or military intelligence — yet they've all converged on the same unpatched flaw. Targets span governments, defense contractors, financial institutions, think tanks, and telecom operators across North America, Europe, Asia, South America, and Australia [5] [6]. When groups with that range of missions all rely on one technique, it works reliably at scale.​‌‌‌​‌‌‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​‌​​‍​‌‌​‌‌‌‌‍​‌‌‌​‌‌‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​‌‌​​‍​‌‌​‌‌‌​‍​‌‌​‌​‌‌‍​​‌​‌‌​‌‍​‌‌‌‌​‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌‌‌‌‍​​‌​‌‌​‌‍​‌‌​​‌​​‍​‌‌​​​​‌‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​​‌‌​​​‌‍​​‌‌​​​‌‍​​‌​‌‌​‌‍​‌‌​‌‌‌​‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌​‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌‌​‌​‌‍​‌‌​‌‌‌​‍​‌‌‌​​​​‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌​​​‌‌‍​‌‌​‌​​​‍​‌‌​​‌​‌‍​‌‌​​‌​​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌​​‌‌‌‍​‌‌‌​‌​‌‍​‌‌​‌​​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌

Why Won't Microsoft Patch This Vulnerability?

Microsoft's MSRC determined the issue "does not meet the bar for servicing with a security update" [2]. They consider this a UI limitation rather than a security boundary violation — the shortcut requires user interaction to execute, placing it in a gray zone under their servicing criteria. This isn't unprecedented — Microsoft has historically drawn firm lines between serviceable vulnerabilities and defense-in-depth improvements. But the distinction is cold comfort for businesses whose employees routinely open shortcut files [2] [8]. The takeaway: vendor patch cycles are just one layer in your security posture. You wouldn't rely on a single exercise for total fitness. Your cybersecurity works the same way.

[Related: Why Waiting for Vendor Patches Is Not a Security Strategy]

How Does the .LNK Exploit Actually Work?

The attack maps to MITRE ATT&CK T1204.002 (User Execution: Malicious File) [3]:

  1. Delivery: The attacker sends a .lnk file via email, USB, or file-sharing platform, disguised as a document or legitimate shortcut.
  2. Concealment: Malicious command-line arguments are padded with megabytes of whitespace. The Windows UI truncates the display, so the user sees only a benign path [1].
  3. Execution: Double-clicking runs the entire target field — including hidden commands that launch PowerShell scripts, download payloads, or execute code directly [3] [5].
  4. Post-exploitation: The attacker establishes persistence, moves laterally, and begins exfiltration [6] [10]. No memory corruption. No kernel exploit. Just a UI limitation hiding malicious intent in plain sight.

What Can Your Business Do Right Now to Stay Protected?

You don't need Microsoft to release a patch to defend against this. These steps are straightforward, proactive, and far cheaper than the alternative.

1. Restrict .LNK File Delivery

Configure your email gateway to quarantine .lnk attachments. Most businesses have no legitimate reason to email shortcut files [7] [8].

2. Enforce Application Whitelisting

Use AppLocker or Windows Defender Application Control to prevent unauthorized executables from launching via shortcut files [7].

3. Train Your Team — But Make It Practical

Awareness training means teaching your staff to pause before double-clicking unexpected files, the same way they'd think twice before opening their front door to someone they don't recognise. Focus on the habit, not the headline [8].

4. Deploy Endpoint Detection and Response (EDR)

EDR solutions inspect command-line arguments at execution time — including hidden ones the Windows UI won't show you [10].

5. Audit and Monitor Shortcut Files

Flag .lnk files with abnormally large sizes via SIEM or endpoint telemetry. Legitimate shortcuts are a few kilobytes; weaponized ones padded with whitespace can be megabytes [1] [5].

6. Align with a Framework

Whether it's NIST CSF 2.0 [8], the Essential Eight [7], or CIS Controls, a structured approach means you never rely on a single vendor's decision to protect your business.

[Related: The Essential Eight — A Practical Guide for Small Businesses]

FAQ

Every Windows organization has potential exposure, but risk depends on your controls. Blocking .lnk attachments, enforcing application whitelisting, and running EDR drops your effective risk dramatically — even without a vendor patch [7] [8].

No. Microsoft has not assigned a CVE because it classified the issue as not meeting the servicing bar [2]. Trend Micro tracks it under ZDI-CAN-25373. The absence of a CVE does not diminish the real-world exploitation evidence [1].

Traditional signature-based antivirus may miss them because the padding evades static analysis. EDR platforms that inspect command-line execution at runtime are far more effective [10] [5].

Block .lnk files at email and web gateways — that's a strong, low-friction mitigation. Internally, shortcuts are part of normal Windows operation, so focus on controlling how they enter your environment [7].

Government, military, financial, think-tank, and telecom sectors are primary targets — but supply-chain relationships mean any business connected to these sectors inherits some of that risk [5] [6].

References

[1] Trend Micro Zero Day Initiative, "ZDI-CAN-25373: Windows .lnk File Zero-Day," Trend Micro, Mar. 2026.

[2] Microsoft Security Response Center, "MSRC Case Tracking," Microsoft, Mar. 2026.

[3] MITRE, "ATT&CK Technique T1204.002: User Execution: Malicious File," MITRE ATT&CK, 2025.

[4] CISA, "Known Exploited Vulnerabilities Catalog," CISA.gov, 2026.

[5] Trend Micro, "Water Hydra APT Group Exploits Windows Shortcut Vulnerability," Trend Micro Research, Mar. 2026.

[6] Mandiant, "APT Trends Report Q1 2026," Google Cloud Security, 2026.

[7] ASD Australian Signals Directorate, "Essential Eight Maturity Model," Australian Government, 2025.

[8] NIST, "NIST Cybersecurity Framework 2.0," NIST, 2024.

[9] Kaspersky, "APT Trends Report Q1 2026," Kaspersky Global Research, 2026.

[10] CrowdStrike, "2026 Global Threat Report," CrowdStrike, Feb. 2026.

Your security posture is something you build — not something you wait for a vendor to hand you. If you want a clear-eyed assessment of where your business stands and a practical plan to strengthen it, let's talk.

TL;DR

  • There's a trick that lets bad actors hide dangerous commands inside normal-looking Windows shortcut files — and 11 government-backed hacking groups have been using it since 2017 [1].
  • Microsoft knows about it but won't fix it [2].
  • You can protect yourself by controlling what files enter your network and what they're allowed to do.

The Simple Explanation

Imagine your desktop shortcuts are labelled doors. You trust the labels and walk through without thinking. Now imagine someone taped a secret instruction to the back of a door — hidden behind pages of blank paper — saying "quietly unlock the back window" [1].

That's this vulnerability. Attackers create shortcut files (.lnk files) containing hidden commands padded with megabytes of invisible space. Windows only shows the normal label. When you double-click, it runs everything — including the secret part [1] [3].

Trend Micro found nearly 1,000 booby-trapped shortcuts used by hacking groups from North Korea, Russia, China, and Iran [5] [6]. Microsoft says it doesn't qualify for a fix [2].

What You Can Do About It

You don't need to wait for Microsoft. Add your own locks:

  1. Block .lnk files in email. Nobody outside your company needs to send you shortcut files [7].
  2. Use application controls. Only approved programs should run — like a guest list for your house [7] [8].
  3. Watch for oversized shortcut files. Normal shortcuts are a few KB; weaponized ones are megabytes [1].
  4. Use EDR software. It reads hidden commands Windows won't show you and stops them before they run [10].

FAQ

No — you must double-click it for the hidden command to run. Train your team to pause before opening unexpected files [3].

They consider it a display issue, not a security boundary break [2]. That's why layering your own defenses matters.

Big targets come first, but attackers reuse successful techniques on smaller ones. Building good habits now keeps you ahead [5] [10].

References

[1] Trend Micro Zero Day Initiative, "ZDI-CAN-25373: Windows .lnk File Zero-Day," Trend Micro, Mar. 2026.

[2] Microsoft Security Response Center, "MSRC Case Tracking," Microsoft, Mar. 2026.

[3] MITRE, "ATT&CK Technique T1204.002: User Execution: Malicious File," MITRE ATT&CK, 2025.

[4] CISA, "Known Exploited Vulnerabilities Catalog," CISA.gov, 2026.

[5] Trend Micro, "Water Hydra APT Group Exploits Windows Shortcut Vulnerability," Trend Micro Research, Mar. 2026.

[6] Mandiant, "APT Trends Report Q1 2026," Google Cloud Security, 2026.

[7] ASD Australian Signals Directorate, "Essential Eight Maturity Model," Australian Government, 2025.

[8] NIST, "NIST Cybersecurity Framework 2.0," NIST, 2024.

[9] Kaspersky, "APT Trends Report Q1 2026," Kaspersky Global Research, 2026.

[10] CrowdStrike, "2026 Global Threat Report," CrowdStrike, Feb. 2026.

Want help making sure your business has the right locks on every door — not just the ones your vendors choose to fix? Let's talk.

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation