Malicious LNK files masquerading as job resumes are being used in targeted campaigns against corporate employees, combining social engineering with multi-stage malware delivery to achieve stealthy persistence and remote access.
Attackers craft filenames that include company names and job titles for example, (RESUME)Domestic Company Name_Job Title***.LNK and embed a genuine-looking decoy document inside the shortcut.
When victims open the file, the decoy opens as expected while hidden scripts and payload downloaders run in the background, significantly lowering suspicion and increasing the chance of successful compromise.
The initial LNK execution drops several script artifacts into the public user directories, typically under C:UsersPublicVideos. The LNK contains embedded commands that write batch (.bat), PowerShell (.ps1), and VBScript (.vbs) files with randomized names; the PowerShell script is then executed.
That script registers a scheduled task named to resemble legitimate services in this case, “office365” configured to run every ten minutes.
The task executes a VBScript which calls a batch file; that batch file uses curl to retrieve additional payload components from an external server.
Several downloaded components arrive Base64-encoded, decoded by the script into a second-stage PowerShell (p2.ps1), which in turn places files into startup locations and reconstructs the final malware components.
The reconstructed components observed include ProximityUxHost.exe, ProximityCommon.dll, settings.dat, and a MicrosoftBing.lnk shortcut.
ASEC said in a report shared with GBhackers, malicious shortcut files disguised as resumes are being distributed, requiring caution from corporate users.
LNK Files Disguised as Job Resumes
Attackers exploit DLL side-loading by invoking an authentic executable (ProximityUxHost.exe) which loads a malicious ProximityCommon.dll placed alongside it; this allows the malicious DLL to execute within the context of a legitimate process.
The settings.dat file acts as a backdoor module part of the Xctdoor family observed in this campaign injecting into the legitimate process and establishing communication with a remote command-and-control server.
This layered approach decoy document for user reassurance, script-based staging, scheduled-task persistence, startup registration, and DLL side-loading access makes detection and remediation harder than with single-file threats.
Recruiting, HR, sales, and customer-support teams are especially at risk because their workflows include receiving and opening unsolicited resumes and attachments.
Detection and remediation should focus on both indicators of compromise and behavioral anomalies.
Security teams must audit Task Scheduler for suspicious or misnamed tasks (for example, “office365” that runs scripts or non-standard executables), inspect startup entries and public-user directories for newly created scripts under C:UsersPublicVideos and C:UsersPublicPictures, and search user profiles for ProximityCommon.dll, settings.dat, and MicrosoftBing.lnk in atypical AppData or package paths.
Endpoint detection should flag processes launching from public or user-writable directories, unexpected DLL loads into legitimate binaries, and PowerShell or cURL activity that writes executables or decodes Base64 payloads.
Mitigations include enforcing strict attachment policies, disabling LNK file execution from untrusted locations via Group Policy or AppLocker rules, and enabling Windows Defender Exploit Guard and AMSI/PowerShell script block logging to capture and block in-memory script activity.
Network controls should restrict outbound connections to unknown servers and inspect HTTP(s) downloads for suspicious patterns.
Regular user training must emphasize verifying file extensions and source authenticity before opening attachments; in recruitment workflows, require applicants to submit resumes via portal upload rather than email attachments.
This campaign demonstrates how trivial-looking shortcuts can become powerful attack vectors when combined with staging scripts, persistence mechanisms, and DLL side-loading.
Rapid detection, removal of persistent tasks and startup artifacts, and hardening of attachment handling practices are essential to prevent these resume-based intrusions.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
