Weaponized LNK File Disguised as Credit Card Security Email Steals User Data

Cybercriminals have evolved their social engineering tactics with a sophisticated malware campaign that exploits users’ trust in financial institutions.

The latest threat involves a malicious LNK file masquerading as a credit card security email authentication popup, specifically targeting unsuspecting users through deceptive filename conventions like card_detail_20250610.html.lnk.

This attack represents a concerning shift in malware distribution methods, leveraging the urgency and legitimacy associated with credit card security notifications to bypass user skepticism.

The campaign demonstrates advanced evasion techniques by incorporating legitimate decoy files alongside malicious payloads.

Unlike traditional attacks that rely on document-based decoys, this threat actor employs HTML files to create convincing credit card company authentication interfaces.

When users execute the LNK file, the malware simultaneously downloads and displays a legitimate-looking HTML page, effectively masking its malicious activities while maintaining the illusion of a genuine security process.

ASEC analysts identified this emerging threat through their continuous monitoring of malware distribution campaigns.

The researchers noted that threat actors have significantly enhanced their impersonation techniques, specifically targeting highly reputable financial organizations to maximize their success rates.

This trend where cybercriminals increasingly exploit institutional trust to facilitate initial compromise.

Advanced Infection and Persistence Mechanism

The malware’s infection chain demonstrates sophisticated multi-stage deployment capabilities.

Upon execution, the LNK file triggers the download of an HTA file and the decoy HTML document into the system’s temporary directory.

The HTA component subsequently creates two critical files in the C:Users{username}AppDataLocal directory: sys.dll (the primary malicious payload) and user.txt (containing download URLs for additional components).

The malware employs the Reflective DLL Loading technique through rundll32.exe, enabling it to execute three specialized modules: app, net, and notepad.log.

The app module specifically targets Chromium-based browsers including Chrome, Brave, and Edge for credential harvesting, while net expands the scope to include Opera, Firefox, and major web services like Google, Yahoo, Facebook, and Outlook.

The notepad.log component functions as a comprehensive backdoor, providing remote shell access, file enumeration capabilities, and keylogging functionality that stores captured data in the C:Users{username}AppDataLocalnetkey directory.

Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now