> either the attacker to modify configuration files, or the user to click on a malicious shortcut.

don't you mean "x and y" instead of "either x or y"?

It's not triggered by a default-configured shortcut, you need both modifying of the shortcuts definition file and the target user to trigger it. Notably, modifying the shortcuts definition file requires a permission level equal to or higher than the user has