A newly documented malware campaign demonstrates how attackers are leveraging Windows LNK shortcuts to deliver the MastaStealer infostealer.
The attack begins with spear-phishing emails containing ZIP archives with a single LNK file that executes a multi-stage infection process.
When victims click the malicious shortcut, it launches Microsoft Edge while opening the AnyDesk website in the foreground to appear legitimate.
Meanwhile, in the background, the LNK file silently downloads and executes an MSI installer from a compromised domain.
The infection chain reveals sophisticated evasion techniques. The MSI installer extracts its payload to a hidden directory structure under %LOCALAPPDATA%TempMW-files.cab, then decompresses the contents and drops the actual C2 beacon at %LOCALAPPDATA%MicrosoftWindowsdwm.exe.
This filename mimics legitimate Windows Display Window Manager processes, making detection harder for security tools.
The campaign successfully bypassed traditional detection methods through careful file placement and process naming conventions.
Maurice Fielenbach, Infosec Research and Security Trainings analyst, identified this infection after discovering Windows Installer event logs showing Application Event ID 11708 failures.
The alert was triggered because the compromised user lacked local administrator privileges, causing the MSI deployment to fail unexpectedly.
This failure, ironically, saved the system from full compromise and revealed the attack to defenders.
PowerShell-Based Defender Exclusion
The most critical aspect of this campaign involves the PowerShell command executed during installation to disable Windows Defender protections.
The malware runs the following command to create an exclusion path for its C2 beacon: Add-MpPreference -ExclusionPath "C:UsersadminAppDataLocalMicrosoftWindowsdvm.exe".
This single command removes the Windows Defender real-time scanning for the malware executable, allowing it to communicate freely with command and control servers at cmqsqomiwwksmcsw[.]xyz (38.134.148.74) and ykgmqooyusggyyya[.]xyz (155.117.20.75).
The technique demonstrates how attackers bypass modern endpoint protection by exploiting legitimate Windows administration features rather than forcing their way through security controls.
Organizations should monitor for unusual PowerShell execution with MpPreference parameters and implement application whitelisting to prevent unauthorized Defender modifications.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
