Find notable cyber news and cases, enriched with sources, timelines, and signals.

Microsoft silently patches in Windows LNK files remote code execution flaw (CVE-2025-9491)

Vulnerability
First reported
Last updated
Happening score
H score 32
2 unique sources, 3 articles

Summary

Hide ▲

Windows LNK shortcut files remain the focus of this vulnerability thread: CVE-2025-9491 / ZDI-CAN-25373 is being used in September-October 2025 spear-phishing attacks by UNC6384 against European diplomatic and government entities in Hungary, Belgium, Italy, the Netherlands, and Serbia. The malicious LNK files use diplomatic lures and a hidden command chain to deploy PlugX through DLL side-loading, with related payloads including CanonStager and cnmplog.dat. The flaw has a history of abuse by multiple threat actors, and Microsoft previously said it had detections and protections in place through Microsoft Defender and Smart App Control.

Related Happenings

ScarCruft NarwhalRAT spear-phishing malware activity

Malware Activity
H score23 First: 16.06.2026 11:14 Last: 16.06.2026 11:14 Sources 1

About this happening: **ScarCruft (APT37)** is using **spear-phishing emails** that impersonate **Microsoft Account security alerts** to deliver **NarwhalRAT**, creating a **multi-stage malware** threa...

Gamaredon WinRAR malware chain using GammaPhish, GammaLoad, GammaWorm, and GammaSteel

Malware Activity
H score49 First: 02.06.2026 21:21 Last: 02.06.2026 21:21 Sources 1

About this happening: **Gamaredon** is a **Russian APT** that expanded its **2025** activity against **Ukraine** with **35 spear-phishing campaigns** aimed at **government and military institutions**....

Latest development: 09.06.2026 15:26

Trend Micro attributes ongoing exploitation of WinRAR CVE-2025-8088 against Ukrainian organizations to Earth Dahu (Gamaredon) and SHADOW-EARTH-066 (UAC-0226). The campaigns use crafted RAR archives with hidden ADS payloads, a decoy PDF, a Startup-folder LNK, and a PowerShell chain via cmd.exe to launch GIFTEDCROOK (result.dll), while Earth Dahu's HTA-to-VBScript chain delivers GammaPhish, GammaLoad, and GammaSteel. The exfiltration path also shifts from Telegram to dedicated C2 servers, and Earth Dahu's use of the flaw is assessed to have remained active through at least April 10, 2026.

APT28 Windows Shell LNK campaign targeting Ukraine and E.U. nations

Campaign
H score39 First: 28.04.2026 08:50 Last: 28.04.2026 08:50 Sources 1

About this happening: A **December 2025** **APT28** campaign targeted **Ukraine** and **E.U. nations** with a **malicious Windows Shortcut (LNK)** chain that bypassed **Microsoft Defender SmartScreen**...

CISA KEV order for BlueHammer patching

Public Sector Action
H score37 First: 23.04.2026 14:05 Last: 23.04.2026 14:05 Sources 1

About this happening: **CISA** ordered **Federal Civilian Executive Branch agencies** to patch **Windows** systems against **CVE-2026-33825** within **two weeks** after adding **BlueHammer** to the **K...

CISA orders FCEB remediation for CVE-2025-60710

Public Sector Action
H score34 First: 15.04.2026 17:51 Last: 15.04.2026 17:51 Sources 1

About this happening: CISA added **CVE-2025-60710** to its **actively exploited** catalog and gave **FCEB agencies** **two weeks** to secure systems under **BOD 22-01**. The move targets a **Windows Ta...

Timeline

  1. 12.02.2026 23:01 2 articles · 4mo ago

    Wietze Beukema discloses Windows LNK spoofing techniques

    Initial Disclosure

    Wietze Beukema disclosed four previously unknown Windows LNK shortcut spoofing techniques at Wild West Hackin' Fest, showing how malformed .lnk files can make Windows Explorer display a benign target such as invoice.pdf while executing PowerShell or another hidden command and hiding command-line arguments. The release also included lnk-it-up, an open-source suite for generating and inspecting suspicious LNK files, and Microsoft said the issues do not meet its immediate servicing bar while pointing to Microsoft Defender, Smart App Control, and Internet-download warnings for .lnk files.

    Show sources
  2. 03.12.2025 19:46 2 articles · 7mo ago

    Microsoft silently patches CVE-2025-9491 LNK flaw

    Mitigation Patch Update

    Microsoft silently patched CVE-2025-9491 in Windows Shortcut (LNK) files during November 2025 Patch Tuesday, changing the Properties dialog to show the full Target command with arguments instead of truncating content after 260 characters; 0patch separately released a micropatch that warns when an LNK file exceeds 260 characters.

    Show sources