Windows LNK files remain a preferred vector for attackers seeking to establish initial access on target systems. Recently, security researchers identified a sophisticated MastaStealer campaign that exploits these shortcut files to deliver a full-featured C2 beacon while simultaneously turning off critical endpoint protections.
The infection begins with a spear-phishing email containing a ZIP archive with a single .lnk file. When the victim executes the shortcut, the attack unfolds in multiple stages designed to maintain a low profile while establishing persistence.
The LNK file launches Microsoft Edge and navigates to anydesk[.]com in the foreground, creating the illusion that it is a legitimate application.
This social engineering tactic distracts users from background activity while the malware silently downloads an MSI installer from anydesk [.]net a typosquatting variant of the legitimate AnyDesk domain.
Detection and MSI Deployment
Security teams discovered the intrusion through Windows Installer event logs when the MSI installation failed on a system where the user lacked local administrator privileges.
The failed installation generated Application Event ID 11708, which triggered correlation rules and initiated rapid incident response. Had the user possessed elevated privileges, the attack would have progressed undetected.
Upon successful execution, the MSI would decompress its contents into a temporary directory at %LOCALAPPDATA%TempMW-
This executable functions as the C2 beacon, providing attackers direct remote access to the compromised system.
The most alarming aspect of this campaign involves the deployment of a PowerShell command executed during MSI installation to create a Windows Defender exclusion
Add-MpPreference -ExclusionPath “C:UsersadminAppDataLocalMicrosoftWindowsdvm.exe”
This command adds the malicious executable to the Defender exclusion list, effectively blinding Windows Defender to the presence of the C2 beacon. By disabling real-time protection for the malware’s installation path, attackers ensure their persistence mechanism remains invisible to automated security scanning and incident response activities.
Command and Control Infrastructure
Organizations should implement controls monitoring for LNK file execution, suspicious PowerShell commands targeting security exclusions, and unsigned MSI installations.
The malware communicates with two command-and-control servers:
- cmqsqomiwwksmcsw[.]xyz (38[.]134[.]148[.]74).
- ykgmqooyusggyyya[.]xyz (155[.]117[.]20[.]75).
These domains utilize randomized naming conventions to evade domain-reputation filtering and DNS-based threat intelligence platforms.
This campaign demonstrates how attackers chain multiple evasion techniques to bypass layered defenses.
The combination of LNK-based execution, MSI-based deployment, and Defender exclusions creates a sophisticated attack sequence that requires vigilant endpoint detection and response capabilities.
Additionally, monitoring Windows Installer event logs for failures remains a critical detection mechanism for catching unsuccessful compromise attempts before attackers refine their approach.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.