Microsoft has been making significant progress in enhancing the security of Windows, a responsibility that encompasses protecting billions of devices. Nevertheless, there are instances when it appears that certain vulnerabilities are not being resolved as swiftly as they ought to be.
A prime example involves a vulnerability related to .lnk shortcuts that has been leveraged to trigger malware downloads. Trend Micro discovered this flaw in 2024 and reported it to Microsoft in September of the same year.
According to experts at Trend Micro, this vulnerability has been exploited since at least 2017, with nearly a thousand instances of these misleading links identified in active circulation.
These links are constructed with an excess of whitespace characters, which can deceive antivirus software and other security systems, as per Trend Micro. The attacks seem to arise exclusively from four nations: North Korea, China, Russia, and Iran. Most of these attacks are linked to state-sponsored actors, primarily aiming for information theft and espionage, targeting government entities first, followed by private corporations, financial organizations, think tanks, and telecom companies.
The attackers are tasked with downloading and installing various malware strains onto compromised systems. Prominent examples include Lumma Stealer and GuLoader, among others.
Despite bringing these concerns to light, Microsoft has not yet taken action. Trend Micro felt compelled to disclose this information publicly due to the lack of a response from Microsoft. Researchers caution that this threat “poses a significant risk” to the confidentiality, integrity, and availability of data held by governments, critical infrastructure, and private organizations globally.
Trend Micro noted that Microsoft has rated the issue as low severity, implying that a resolution may not be on the horizon in the “immediate future.”
In a comment to The Register, a Microsoft spokesperson advised users to “exercise caution when downloading files from unknown sources.”
While local Windows systems have the capability to analyze shortcut files, the challenge resides in the fact that these links are intentionally crafted to evade detection. Consequently, users may not recognize the exploit when investigating the shortcut link, as highlighted by Trend Micro.
Although some security solutions may already be capable of identifying these malicious shortcuts, others are expected to do so in the near future.
Image Source: Volodymyr Kyrylyuk / Shutterstock
