So like the user has to be tricked or otherwise download & install a malicious shortcut file that when simply rendered by File Explorer (if the user is connected to the internet) may set off a chain reaction on the users PC.
"Bad Actors" would need to insert or otherwise infect items that is attractive to the user to download & install.