Microsoft has urgently patched a critical zero-day vulnerability, CVE-2024-38112, after threat actors actively exploited it to spread malware.
This high-severity flaw targets Windows systems and lets attackers disguise malicious Internet Shortcut (.URL) files as harmless PDF documents. With just one click, unsuspecting users can execute malware payloads, making the exploit highly dangerous.
Security researchers at Check Point discovered the exploit in a live campaign orchestrated by the “DarkMe” group, linked to the Lazarus Group. The attackers used malicious ZIP archives containing .URL files disguised as PDF icons.
Once victims clicked the fake PDF, the .URL file launched a hidden HTML application (HTA). This bypassed Windows security prompts and activated malware that either stole sensitive data or granted attackers remote access.
This technique leveraged flaws in the Windows Shell design, letting shortcut files silently deliver malicious code without triggering security warnings.
Microsoft confirmed the bug and released a fix in its July 2025 Patch Tuesday update. The company urged all Windows users to install the latest updates right away to block ongoing attacks.
The patch adjusts how Windows handles Internet Shortcut files and restricts HTA execution paths to prevent deceptive delivery methods.
CVE-2024-38112 poses a serious threat because it allows attackers to trick users using familiar file types. Since hackers are actively exploiting it in the wild, immediate patching is crucial for individuals and businesses alike.