The core problem stems from how Windows handles these shortcut files. If you’ve ever checked the properties of a shortcut, you’ll know there’s a field called “Target” that shows the command the shortcut executes. Historically, the Windows UI only displayed the first 260 characters of that Target field.

Attackers figured out they could programmatically construct LNK files with extremely long command strings, sometimes tens of thousands of characters long, and then pad the beginning of that string with whitespace characters. This trick pushed the actual malicious code, which deployed tools like remote access trojans (RATs) and loaders, completely out of the user’s view.

Since the user was only seeing a field full of harmless spaces, they had no idea what was about to execute when they double-clicked the file. Unfortunately, this wasn’t some theoretical threat. Trend Micro analysts discovered back in March that this vulnerability had been exploited widely, with campaigns dating back as far as 2017.

The researchers found close to a thousand malicious shortcuts in the wild. High-profile threat actors like Evil Corp, APT37, Bitter, and the Chinese state-backed Mustang Panda were all leveraging this trick to deploy malware, including Ursnif, Gh0st RAT, and Trickbot. Arctic Wolf Labs specifically noted that Mustang Panda used the flaw in zero-day attacks targeting European diplomats in nations like Hungary and Belgium, pushing the PlugX RAT onto compromised systems.

The attacks relied on the victims opening the malicious LNK file. Threat actors usually distribute these files inside ZIP or other archives because email providers are smart enough to block raw .lnk attachments due to their risky nature.

ACROS Security CEO and 0patch co-founder Mitja Kolsek noticed that Microsoft had silently changed how the Properties dialog behaves. Now, when you open the properties of an LNK file, the Target field shows all characters, no matter how long the string is.

While restoring the trust in the UI is definitely a step in the right direction, it’s not a full fix. The update doesn’t delete the malicious arguments that are already present in existing LNK files. Also, the user receives no warning that the Target string is unusually long.

If a threat actor constructs a command string that is thousands of characters long, only the most security-conscious users are going to bother scrolling all the way across that tiny field to find the hidden code. For the average person, this change doesn’t really offer much practical protection against social engineering.

Because of the limitations of Microsoft’s silent fix, ACROS Security decided to release its own unofficial patch through the 0patch micropatch platform. Instead of just showing the full string, the 0patch solution limits all shortcut target strings to 260 characters. If a shortcut file exceeds that length, the patch cuts the command short and alerts the user to the potential danger.