Skip to content Campaign of the month Campaign of the month Learn about the latest cyber attacks and vulnerabilities in our monthly Campaigns. Read more Investigating CVE-2025-9491: Hidden arguments in .LNK enable stealthy in-memory attacks In late 2025, a critical vulnerability tracked as CVE-2025-9491 (ZDI-CAN-25373) exposed a dangerous weakness in how Windows handles shortcut files. The flaw allows attackers to embed hidden command-line arguments within a .LNK’s Target field arguments that are not visible in the Windows Properties dialog due to a user interface truncation issue (CWE-451: UI Misrepresentation). This campaign demonstrates how even small interface flaws can yield outsized operational impact. Let’s dive deeper into this critical vulnerability. What are the Windows Shell Link (.LNK) files? Windows Shell Link (.LNK) files are among the most common elements in everyday computing, used to launch applications, open documents, or access folders with a single click. Their deep integration across the Windows ecosystem makes them an essential productivity feature and an equally attractive attack surface for adversaries seeking to transform routine user actions into covert code execution. Overview of the CVE-2025-9491 vulnerability The CVE-2025-9491 (ZDI-CAN-25373) vulnerability exposes a critical weakness in the .LNK mechanism, specifically, how the Windows interface displays and executes shortcut Target paths. This flaw enables attackers to embed hidden command-line arguments within a .LNK file that are invisible to users through the Properties dialog yet fully executed by the operating system upon double-click. In effect, a single click on a seemingly benign shortcut can silently launch PowerShell or other living-off-the-land utilities, providing adversaries with remote code execution without any visible warning or user consent. Recognizing the severity of this vulnerability is essential for defenders. Although Microsoft has not yet released a patch, the exploitation of CVE-2025-9491 by a state-linked APT underscores how quickly advanced actors can weaponize subtle user-interface flaws for stealthy, long-term infiltration. Immediate mitigations such as blocking or sandboxing .LNK and .HTA content, enforcing application control policies, and monitoring anomalous PowerShell behavior are crucial. Attack chain of the exploited CVE-2025-9491 When CVE-2025-9491 is exploited, the attack chain unfolds methodically. Initial entry point: Delivery of spear-phishing emails containing embedded URLs leading to malicious LNK files disguised as legitimate diplomatic documents. Exploitation technique: Abuse of the LNK UI misrepresentation flaw to execute hidden PowerShell commands that unpack and side-load a trusted Canon-signed binary (cnmpaui.exe), which in turn loads a malicious DLL and decrypts the PlugX RAT directly in memory. Impact: Deployment of the PlugX Remote Access Trojan, providing persistent espionage capabilities, in-memory execution, and command-and-control communications over HTTPS, all under the guise of a legitimate Canon process. What you’ll learn in this spotlight The events surrounding CVE-2025-9491 underscore two enduring lessons: user interface trust can be weaponized , and seemingly benign system features can conceal fully capable malware delivery mechanisms . Dive into the spotlight above to learn everything you need to know about CVE-2025-9491: Deep dive into the CVE-2025-9491 vulnerability Detailed anatomy and technical analysis of the attack chain Evasion techniques, as well as defense and mitigation methods Request a demo Past campaigns Understanding React2Shell: Remote code execution, credential theft, and cloud compromise The CVE-2025-55182 vulnerability in React Server Components, also known as React2Shell, exposes a critical security weakness arising from insecure deserialization in the RSC “Flight” protocol. This vulnerability enables attackers to achieve unauthenticated remote code execution on a target server simply by sending a specially crafted HTTP request. The flaw effectively turned a core rendering mechanism of modern […] Read More Understanding LLM and RAG attacks: From general threats to targeted prompt injection Large Language Models (LLMs) have moved from research labs into production systems at a pace that would make any CISO nervous. They now power customer support workflows, developer copilots, business intelligence assistants, and even semi-autonomous agents that can read internal documents, call APIs, and trigger changes in production systems. To overcome the limitations of static […] Read More Investigate how the ShinyHunters used vishing to compromise Salesforce instances In June 2025, Google’s Threat Intelligence Group (GTIG) publicly documented a financially motivated threat cluster, UNC6040, that specializes in voice‑phishing (vishing) to compromise enterprise Salesforce instances at scale. Let’s take a closer look at what exactly is vishing, and how UNC6040,