Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Microsoft silently patches in Windows LNK files remote code execution flaw (CVE-2025-9491)

Vulnerability
First reported
Last updated
Happening score
H score 31
2 unique sources, 3 articles

Summary

Hide ▲

Windows LNK shortcut files remain the focus of this vulnerability thread: CVE-2025-9491 / ZDI-CAN-25373 is being used in September-October 2025 spear-phishing attacks by UNC6384 against European diplomatic and government entities in Hungary, Belgium, Italy, the Netherlands, and Serbia. The malicious LNK files use diplomatic lures and a hidden command chain to deploy PlugX through DLL side-loading, with related payloads including CanonStager and cnmplog.dat. The flaw has a history of abuse by multiple threat actors, and Microsoft previously said it had detections and protections in place through Microsoft Defender and Smart App Control.

Related Happenings

APT28 Windows Shell LNK campaign targeting Ukraine and E.U. nations

Campaign
First: 28.04.2026 08:50 Last: 28.04.2026 08:50 Sources 1

About this happening: A **December 2025** **APT28** campaign targeted **Ukraine** and **E.U. nations** with a **malicious Windows Shortcut (LNK)** chain that bypassed **Microsoft Defender SmartScreen**...

Open Happening

CISA KEV order for BlueHammer patching

Public Sector Action
First: 23.04.2026 14:05 Last: 23.04.2026 14:05 Sources 1

About this happening: **CISA** ordered **Federal Civilian Executive Branch agencies** to patch **Windows** systems against **CVE-2026-33825** within **two weeks** after adding the flaw to the **KEV Cat...

Open Happening

CISA orders FCEB remediation for CVE-2025-60710

Public Sector Action
First: 15.04.2026 17:51 Last: 15.04.2026 17:51 Sources 1

About this happening: CISA added **CVE-2025-60710** to its **actively exploited** catalog and gave **FCEB agencies** **two weeks** to secure systems under **BOD 22-01**. The move targets a **Windows Ta...

Open Happening

Fake Claude PlugX phishing campaign

Campaign
First: 13.04.2026 12:52 Last: 13.04.2026 12:52 Sources 1

About this happening: A **February** phishing campaign used a **fake Claude website** and **fake meeting invitations** to deliver **PlugX** malware to recipients, turning a popular AI brand into a malw...

Latest development: 07.05.2026 13:02

A fake Claude AI site at claude-pro[.]com distributed Claude-Pro-windows-x64.zip, which drops NOVupdate.exe, NOVupdate.exe.dat, and avk.dll to sideload DonutLoader and load the Beagle backdoor on Windows. The backdoor uses license[.]claude-pro[.]com for command-and-control over TCP 443 and/or UDP 8080, and related Beagle samples were submitted to VirusTotal between February and April this year.

Open Happening

ClickFix Windows Terminal Lumma Stealer campaign

Campaign
First: 06.03.2026 08:44 Last: 06.03.2026 08:44 Sources 1

About this happening: A **widespread ClickFix** campaign is abusing **Windows Terminal (wt.exe)** to run malicious commands and deploy **Lumma Stealer**, expanding the risk of credential theft and brow...

Open Happening

Timeline

  1. 12.02.2026 23:01 2 articles · 3mo ago

    Wietze Beukema discloses Windows LNK spoofing techniques

    Initial Disclosure

    Wietze Beukema disclosed four previously unknown Windows LNK shortcut spoofing techniques at Wild West Hackin' Fest, showing how malformed .lnk files can make Windows Explorer display a benign target such as invoice.pdf while executing PowerShell or another hidden command and hiding command-line arguments. The release also included lnk-it-up, an open-source suite for generating and inspecting suspicious LNK files, and Microsoft said the issues do not meet its immediate servicing bar while pointing to Microsoft Defender, Smart App Control, and Internet-download warnings for .lnk files.

    Show sources
    Open in new tab
  2. 03.12.2025 19:46 2 articles · 5mo ago

    Microsoft silently patches CVE-2025-9491 LNK flaw

    Mitigation Patch Update

    Microsoft silently patched CVE-2025-9491 in Windows Shortcut (LNK) files during November 2025 Patch Tuesday, changing the Properties dialog to show the full Target command with arguments instead of truncating content after 260 characters; 0patch separately released a micropatch that warns when an LNK file exceeds 260 characters.

    Show sources
    Open in new tab