Trust Me, I’m A ShortCut: New Link Abuse Methods

Windows shortcut (.LNK) files have remained a consistent attack vector for over several decades, yet their underlying format is still largely archaic and remains the "gift that keeps on giving" by presenting new opportunities for abuse, even in 2025. This talk provides, after showing an overview of the LNK file structure that outlines its quirks and legacy design choices that contribute to persistent security weaknesses, several novel and previously undocumented techniques will be presented that enable more stealthy, deceptive, and flexible payload delivery/command execution through LNK files than those currently known. We will look at why these new techniques 'work', compare them to existing LNK tricks, and discuss the implications for defenders. The research involved developing a custom testing framework aimed at black-box testing and probing Microsoft’s LNK parsing implementation, revealing subtle flaws and unexpected behaviours exploitable by attackers. We will discuss how adopting a "hackers's mindset" helps in uncovering new methods for abuse like this; and how this way of thinking can benefit everyone active in cyber security, regardless of your sub-discipline or specialisation. Finally, this session will also introduce an open-source tool designed to assist security professionals, red teams, and researchers in generating and experimenting with advanced LNK payloads. This tool aims to enhance the ability to simulate and defend against sophisticated shortcut-based attacks, thereby improving Windows endpoint security.