Can a .lnk file alone install malware?

Yes, in two distinct ways. Historically, parsing bugs in Windows itself (CVE-2010-2568 / Stuxnet, CVE-2017-8464) let a crafted .lnk run code just by being displayed in Explorer. Today, the more common pattern is a benign-looking .lnk whose Target is cmd.exe or powershell.exe with arguments that download and run a real payload.

Why did attackers shift from Office macros to .lnk files?

In 2022 Microsoft began blocking VBA macros in Office documents downloaded from the internet by default. That broke the dominant phishing chain, so threat actors pivoted to ISO and ZIP archives carrying a .lnk inside. The .lnk runs PowerShell or rundll32 against a sidecar payload, a workflow that bypasses Mark-of-the-Web propagation in some configurations.

Will antivirus catch a malicious .lnk?

Modern endpoint products inspect the link's target, arguments and ExtraData blocks and flag suspicious patterns (powershell -enc, hidden window, mismatched icon, sandbox-evasion strings). Because each campaign generates fresh .lnk files trivially, signature-only AV often misses zero-day variants. Behavioural detection on the resulting child process is more reliable.

How do I safely inspect a suspicious .lnk?

Never double-click. Use a parser (this site's, LECmd, lnkparse3, or libyal's lnkinfo) on an isolated machine or, better, drop the file into a browser parser that runs locally in WebAssembly. Look at the Target, Arguments, WorkingDirectory and IconLocation fields. If the icon advertises a PDF or Word file but the target is cmd.exe, you are looking at malware.

Can a .lnk file alone install malware?

Yes, in two distinct ways. Historically, parsing bugs in Windows itself (CVE-2010-2568 / Stuxnet, CVE-2017-8464) let a crafted .lnk run code just by being displayed in Explorer. Today, the more common pattern is a benign-looking .lnk whose Target is cmd.exe or powershell.exe with arguments that download and run a real payload.

Why did attackers shift from Office macros to .lnk files?

In 2022 Microsoft began blocking VBA macros in Office documents downloaded from the internet by default. That broke the dominant phishing chain, so threat actors pivoted to ISO and ZIP archives carrying a .lnk inside. The .lnk runs PowerShell or rundll32 against a sidecar payload, a workflow that bypasses Mark-of-the-Web propagation in some configurations.

Will antivirus catch a malicious .lnk?

Modern endpoint products inspect the link's target, arguments and ExtraData blocks and flag suspicious patterns (powershell -enc, hidden window, mismatched icon, sandbox-evasion strings). Because each campaign generates fresh .lnk files trivially, signature-only AV often misses zero-day variants. Behavioural detection on the resulting child process is more reliable.

How do I safely inspect a suspicious .lnk?

Never double-click. Use a parser (this site's, LECmd, lnkparse3, or libyal's lnkinfo) on an isolated machine or, better, drop the file into a browser parser that runs locally in WebAssembly. Look at the Target, Arguments, WorkingDirectory and IconLocation fields. If the icon advertises a PDF or Word file but the target is cmd.exe, you are looking at malware.

LNK file malware: how Windows shortcuts get weaponized

Shortcut files have been a reliable Windows malware delivery vector for fifteen years and counting. They are small, they look harmless in Explorer, the extension is hidden by default, and the format lets them launch any executable with any arguments under any icon. CISA, Mandiant, Trellix and SentinelOne reports from 2023 onward keep flagging the same pattern: .lnk is back at the top of the initial-access toolkit. The shift is real, and the trick is that there is nothing to patch — the abuse uses legitimate fields exactly as specified.

Two flavours of LNK abuse

Parser exploitation

A small number of CVEs have let a Shell Link execute code simply because Explorer rendered it.

CVE-2010-2568 — the parsing bug Stuxnet used to spread via USB drives. Explorer auto-loaded a malicious DLL while drawing the shortcut's icon. No clicks needed.
CVE-2017-8464 — same family, broader. Patched, but unpatched systems remained targets for years.
CVE-2020-0729, CVE-2022-37969 — later parser-side issues with smaller blast radius.

Modern Windows patches the parser, so this class is rare in 2026. The active threat is everything in the next section.

Weaponizing legitimate fields

The Shell Link spec lets a shortcut launch anything with any arguments under any icon. Current campaigns abuse exactly that, no exploit required:

Target points at C:\Windows\System32\cmd.exe, powershell.exe, mshta.exe, rundll32.exe, regsvr32.exe, or a recently popular living-off-the-land binary. Rarely the application the icon pretends to be.
Arguments carry a one-liner that downloads or decodes a payload — -enc <base64>, iex (iwr http://...), mshta http://..., rundll32 .\loader.dll,Entry, or AMSI bypass strings.
WorkingDirectory points at the ISO/ZIP root or %TEMP% / %APPDATA%, so a sidecar DLL or script resolves with a relative path.
IconLocation resolves to a system DLL — imageres.dll,-187 is the PDF icon, imageres.dll,-3 is Word — to match the lure's filename. Invoice_April.pdf.lnk rendered with a PDF icon.

Since 2022, when Microsoft began blocking VBA macros in Mark-of-the-Web-tagged Office docs, this is the dominant phishing pattern: ZIP or ISO containers, .lnk inside, sidecar payload that the LNK invokes. Qakbot, Bumblebee, IcedID, Emotet revivals, and most of the 2023-2025 ransomware affiliate intake have used it.

What a malicious LNK looks like under the hood

Parse a real-world phishing .lnk (drop it in the parser on the home page — no upload, no execution) and you will typically see:

LinkInfo → LocalBasePath = C:\Windows\System32\cmd.exe or powershell.exe. Not the file the icon pretends to be.
StringData → COMMAND_LINE_ARGUMENTS containing -enc, -EncodedCommand, iex, IEX, Invoke-Expression, mshta, rundll32.exe, regsvr32.exe, URLs, or base64 blobs longer than the original LNK is plausibly entitled to carry.
StringData → WORKING_DIR pointing at the ISO/ZIP root or %TEMP% / %APPDATA%.
StringData → ICON_LOCATION pointing into imageres.dll or shell32.dll, not a real file.
ShellLinkHeader → ShowCommand = 7 (minimized). Keep the cmd window out of view.
ExtraData blocks rich enough to leak the attacker's build machine through the TrackerDataBlock's NetBIOS name and droid GUID. Several public attribution wins came from exactly that — Lazarus, APT37, APT41 reports cite it explicitly.
LinkFlags with HasArguments and HasIconLocation set, often with IsUnicode and HasExpString for the EnvironmentVariableDataBlock that resolves %USERPROFILE% or %TEMP% paths at runtime.

The detection patterns layer naturally onto a parser's output. Eric Zimmerman's LECmd CSV format is what most detection rules target; lnkparse3 and libyal's lnkinfo emit equivalent data in different schemas.

Triage checklist

Before opening any .lnk you did not create yourself:

Confirm the file is what it claims. Windows hides .lnk by default. Invoice.pdf may actually be Invoice.pdf.lnk. Show extensions, or hex-dump the first 20 bytes — a real LNK opens with 4C 00 00 00 followed by the LinkCLSID 00021401-0000-0000-C000-000000000046.
Read the LocalBasePath. If it is not the application you would expect for the icon, stop.
Read the COMMAND_LINE_ARGUMENTS. Any encoded command, embedded URL, or reference to a sidecar file in the same archive is a red flag.
Read the ICON_LOCATION. A path into imageres.dll while the target is cmd.exe is the classic mask.
Read the ExtraData blocks. The TrackerDataBlock's NetBIOS name and droid GUID will sometimes hand you the build machine. Use them to cluster across samples.
Detonate elsewhere. If you must understand the payload, do it in an isolated VM with the network locked down. Never on your work machine.

Defensive guardrails

Show file extensions in Explorer. Policy-controlled if you cannot trust users.
Use Attack Surface Reduction rules: "Block execution of potentially obfuscated scripts" and "Block credential stealing from LSASS" both blunt the typical LNK chain.
Apply Mark-of-the-Web to downloaded ISO and IMG containers (this changed in Windows 11 22H2; verify your build).
Deploy a parser-based detection rule that flags shortcuts whose target is cmd.exe / powershell.exe / mshta.exe / rundll32.exe / regsvr32.exe outside of a known allow-list.
Make sure EVTX command-line auditing (4688 with command lines, or Sysmon EventID=1) is on. The LNK is the trigger; the spawned process is where you actually catch the chain.