Tag: lnk files

29 Attack Reports | 0 Vulnerabilities

Attack reports

New backdoor targeting Ukrainian entities with possible links to Laundry Bear

A new campaign targeting Ukrainian entities has been identified, attributed to actors linked to Russia. The campaign uses judicial and charity-themed lures to deploy a JavaScript-based backdoor called DRILLAPP, which runs through the Edge browser. This backdoor enables various actions including fil…
backdoor
russia
ukraine
javascript
lnk files
websocket
2026-03-17
cpl files
drillapp
edge browser
Published: March 17, 2026
Downloadable IOCs: 28

Malware MoonPeak Executed via LNK Files

In January 2026, IIJ observed malicious LNK files targeting Korean users to execute the MoonPeak malware, attributed to North Korean threat actors. The infection chain begins with a LNK file that runs an obfuscated PowerShell script, which checks for analysis environments, creates additional script…
powershell
persistence
korea
xenorat
github
moonpeak
lnk files
confuserex
2026-01-26
lots
Published: January 26, 2026
Downloadable IOCs: 4

Operation FrostBeacon: Multi-Cluster Cobalt Strike Campaign Targets Russia

Operation FrostBeacon is a targeted malware campaign delivering Cobalt Strike beacons to companies in Russia. It uses two infection clusters: one leveraging malicious archive files with LNK shortcuts, and another exploiting CVE-2017-0199 and CVE-2017-11882 vulnerabilities. Both clusters lead to rem…
phishing
powershell
russia
cobalt strike
CVE-2017-0199
CVE-2017-11882
lnk files
hta
2025-12-08
Published: December 8, 2025
Linked vulnerabilities : CVE-2017-11882, CVE-2017-0199
Downloadable IOCs: 60

The 'Bear' attacks: what we learned about the phishing campaign targeting Russian organizations

A hacking group named NetMedved has been conducting phishing attacks against Russian organizations since October 2025. The campaign uses malicious LNK files disguised as business documents to deliver NetSupport RAT malware. The attackers employ various techniques including PowerShell scripts, finge…
phishing
social engineering
powershell
lumma stealer
netsupport rat
lnk files
russian targets
2025-11-26
infrastructure reuse
finger protocol
Published: November 26, 2025
Downloadable IOCs: 38

Confucius Espionage: From Stealer to Backdoor

The Confucius group, a long-running cyber-espionage actor operating in South Asia, has evolved its tactics from document stealers to Python-based backdoors. Recent campaigns showcase the group's adaptability and growing sophistication, targeting government agencies, military organizations, and crit…
obfuscation
pakistan
south asia
lnk files
python backdoor
cyber-espionage
2025-10-03
anondoor
wooperstealer
Published: October 3, 2025
Downloadable IOCs: 0

Going Underground: China-aligned TA415 Conducts U.S.-China Economic Relations Targeting Using VS Code Remote Tunnels

Throughout July and August 2025, TA415, a Chinese state-sponsored threat actor, conducted spearphishing campaigns targeting U.S. government, think tank, and academic organizations focused on U.S.-China relations. The group impersonated high-profile individuals and organizations to deliver an infect…
spearphishing
voldemort
lnk files
python loader
2025-09-17
economic espionage
u.s.-china relations
vs code remote tunnels
whirlcoil
github authentication
Published: September 17, 2025
Downloadable IOCs: 0

August 2025 APT Attack Trends Report

In August 2025, APT attacks in South Korea primarily utilized spear phishing techniques, with LNK files being the most prevalent method. Two main types of attacks were observed: Type A, which used compressed CAB files containing malicious scripts for information exfiltration and additional malware …
apt
rat
powershell
rokrat
south korea
xenorat
lnk files
spear phishing
cab files
2025-09-16
Published: September 16, 2025
Downloadable IOCs: 5

Operation HanKook Phantom: Spear-Phishing Campaign

APT37, a North Korean state-backed cyber espionage group, has launched a sophisticated spear-phishing campaign targeting South Korean government sectors, research institutions, and academics. The attackers use malicious LNK files disguised as legitimate documents to deliver a multi-stage infection …
espionage
north korea
powershell
rokrat
south korea
data exfiltration
fileless
spear-phishing
cloud services
lnk files
2025-08-29
Published: August 29, 2025
Downloadable IOCs: 0

July 2025 APT Attack Trends Report (South Korea)

The report analyzes Advanced Persistent Threat (APT) attacks in South Korea during July 2025. Spear phishing was the primary attack method, with LNK files being the most common vector. Two types of LNK-based attacks were identified: Type A, which uses compressed CAB files containing malicious scrip…
apt
rat
rokrat
south korea
xenorat
lnk files
spear phishing
google drive
dropbox api
2025-08-19
Published: August 19, 2025
Downloadable IOCs: 0

June 2025 APT Attack Trends Report (South Korea)

This analysis examines Advanced Persistent Threat (APT) attacks targeting South Korea in June 2025. Spear phishing emerged as the primary attack vector, with LNK files being the most prevalent method, followed by an increase in HWP file-based attacks. The report details two types of spear phishing …
apt
rat
rokrat
south korea
xenorat
lnk files
spear phishing
2025-07-16
hwp files
Published: July 16, 2025
Downloadable IOCs: 0

Rainbow Hyena strikes again: new backdoor and shift in tactics

A new phishing campaign targeting healthcare and IT organizations in Russia has been attributed to the Rainbow Hyena cluster. The attackers used compromised email addresses to distribute malicious attachments, including polyglot files and LNK files mimicking legitimate documents. A new custom-built…
backdoor
phishing
lnk files
2025-07-15
phantomremote
rainbow hyena
Published: July 15, 2025
Downloadable IOCs: 0

Windows Shortcut (LNK) Malware Strategies

This article provides an in-depth analysis of Windows shortcut (LNK) file malware, based on the examination of 30,000 recent samples. The research reveals four main categories of LNK malware: exploit execution, file on disk execution, in-argument scripts execution, and overlay execution. Each techn…
exploit
windows
lnk files
shortcut
2025-07-02
execution techniques
Published: July 2, 2025
Linked vulnerabilities : CVE-2023-36884, CVE-2010-2568
Downloadable IOCs: 12

May 2025 APT Group Trends (South Korea)

This analysis examines Advanced Persistent Threat (APT) attacks in South Korea during May 2025. The majority of identified attacks utilized spear phishing as the primary infiltration method. Two main types of attacks were observed: Type A, which uses LNK files to execute malicious scripts and downl…
obfuscation
apt
south korea
lnk files
spear phishing
decoy documents
task scheduler
2025-06-18
python scripts
Published: June 18, 2025
Downloadable IOCs: 7

Analysis of APT37 Attack Case Disguised as a Think Tank for National Security Strategy in South Korea (Operation ToyBox Story)

APT37, a North Korean state-sponsored hacking group, launched a spear phishing campaign targeting activists focused on North Korea. The attack involved emails with Dropbox links to malicious LNK files, which when executed, activated additional malware. The group utilized legitimate cloud services a…
north korea
rokrat
south korea
lnk files
spear phishing
CVE-2022-41128
national security
2025-06-06
fileless attacks
cloud c2
Published: June 6, 2025
Downloadable IOCs: 1

April 2025 Threat Trend Report on APT Attacks (South Korea)

This analysis covers APT attacks detected in South Korea during April 2025. Spear phishing emerged as the primary distribution method for these attacks. Two main types of spear phishing were observed: Type A, which uses LNK files to distribute compressed malicious scripts for information leakage an…
apt
rat
rokrat
south korea
xenorat
spear-phishing
lnk files
google drive
2025-05-14
dropbox api
Published: May 14, 2025
Downloadable IOCs: 3

Venom Spider Uses Server-Side Polymorphism to Weave a Web Around Victims

Arctic Wolf Labs discovered a new campaign by Venom Spider targeting corporate HR departments with fake resumes containing the More_eggs backdoor. The financially motivated threat group uses spear-phishing emails and abuses legitimate job platforms to apply for real jobs. The backdoor can steal cre…
backdoor
evasion
javascript
spear-phishing
more_eggs
lnk files
2025-05-03
polymorphism
Published: May 3, 2025
Downloadable IOCs: 3

March 2025 APT Group Trends (South Korea)

This intelligence report analyzes Advanced Persistent Threat (APT) attacks in South Korea during March 2025. The majority of attacks were classified as spear phishing, with LNK file distribution being the most prevalent method. Two types of LNK-based attacks were identified: Type A, which uses a CA…
obfuscation
apt
python
powershell
south korea
pebbledash
lnk files
spear phishing
2025-04-10
nukesped
task scheduler
cab files
Published: April 10, 2025
Downloadable IOCs: 0

Gamaredon campaign abuses LNK files to distribute Remcos backdoor

A campaign targeting users in Ukraine with malicious LNK files has been observed since November 2024. The files, using Russian words related to troop movements as lures, run a PowerShell downloader contacting geo-fenced servers in Russia and Germany. The second stage payload uses DLL side loading t…
phishing
powershell
ukraine
remcos
dll sideloading
lnk files
2025-03-28
gthost
hyperhosting
Published: March 28, 2025
Downloadable IOCs: 0

APT37 - RokRat

APT37, a North Korean state-sponsored hacking group, has expanded its operations to target users on Windows and Android platforms through phishing campaigns. The group's attack vector involves malicious LNK files distributed via group chat platforms. The infection process begins with phishing email…
phishing
north korea
powershell
rokrat
cloud services
lnk files
remote access trojan
2025-03-12
Published: March 12, 2025
Downloadable IOCs: 9

Lumma Stealer Chronicles: PDF-themed Campaign Using Compromised Educational Institutions' Infrastructure

An ongoing malware campaign is distributing Lumma Stealer, an information-stealing malware, through malicious LNK files disguised as PDF documents. The campaign exploits compromised educational institutions' infrastructure to host these files. When executed, the LNK files initiate a multi-stage inf…
phishing
lumma stealer
information stealing
maas
lnk files
multi-stage infection
2025-02-17
steam profiles
educational institutions
pdf-themed
Published: February 17, 2025
Downloadable IOCs: 24

Coyote Banking Trojan: A Stealthy Attack via LNK Files

A sophisticated multi-stage attack utilizing LNK files to deliver the Coyote Banking Trojan has been identified, primarily targeting Brazilian financial applications. The malware employs PowerShell commands, shellcode injection, and registry manipulation to establish persistence and evade detection…
phishing
lnk files
2025-01-31
coyote banking trojan
Published: January 31, 2025
Downloadable IOCs: 0

December 2024 Threat Trend Report on APT Attacks (South Korea)

This intelligence report analyzes Advanced Persistent Threat (APT) attacks targeting South Korea in December 2024. The primary method of attack was spear phishing, with a focus on distributing LNK files. Two main types of attacks were identified: Type A, which uses compressed CAB files containing m…
apt
rat
rokrat
south korea
xenorat
spear-phishing
lnk files
2025-01-09
decoy documents
Published: January 9, 2025
Downloadable IOCs: 3

Stealthy Cyber Attacks: LNK Files & SSH Commands Playbook

This analysis explores a rising trend in cyber attacks where threat actors leverage LNK files and SSH commands as initial infection vectors. The attackers use meticulously crafted shortcut files, often disguised as legitimate documents, to execute commands using Living-off-the-Land Binaries (LOLBin…
powershell
evasion techniques
lnk files
rundll32
2024-12-19
hackbrowserdata
scp
living-off-the-land binaries
cyber attacks
ssh commands
Published: December 19, 2024
Linked vulnerabilities : CVE-2024-21887, CVE-2023-46805, CVE-2021-44228, CVE-2017-11882, CVE-2024-21893
Downloadable IOCs: 6

"Breach Report" from UAC-0099 (CERT-UA#12463)

The Ukrainian CERT-UA investigated cyberattacks by UAC-0099 against government organizations during November-December 2024. The attacks involved emails with malicious attachments, including exploits for CVE-2023-38831. The LONEPAGE program, used for command execution, has evolved to use encrypted f…
powershell
CVE-2023-38831
cloudflare
winrar
lnk files
2024-12-18
lonepage program
Published: December 18, 2024
Downloadable IOCs: 25

Analyzing FLUX#CONSOLE: Using Tax-Themed Lures, Threat Actors Exploit Windows Management Console to Deliver Backdoor Payloads

The FLUX#CONSOLE campaign involves a sophisticated tax-themed phishing attack that exploits Microsoft Management Console (MSC) files to deliver a stealthy backdoor payload. Threat actors use tax-related lures to trick users into executing malicious code. The attack leverages MSC files, which are no…
javascript
dll sideloading
lnk files
2024-12-18
dismcore.dll
xmlhttp
Published: December 18, 2024
Downloadable IOCs: 5

Analysis of Cyber Reconnaissance Activities Behind APT37 Threats

The report analyzes the covert cyber reconnaissance activities of the state-sponsored APT37 group targeting South Korea. The group uses spear-phishing emails with malicious LNK files to deploy the RoKRAT malware, collecting sensitive information from victims' devices. The attackers employ various t…
north korea
rokrat
cyber espionage
reconnaissance
spear-phishing
lnk files
2024-11-06
web beacons
Published: November 6, 2024
Linked vulnerabilities : CVE-2022-41128
Downloadable IOCs: 20

Operation Cobalt Whisper: Threat Actor Targets Multiple Industries Across Hong Kong and Pakistan

A sophisticated cyber espionage campaign dubbed Operation Cobalt Whisper has been uncovered, targeting various industries in Hong Kong and Pakistan. The threat actor focuses on the defense sector, engineering researchers, and key entities in these regions, using tailored lures related to electrotec…
cobalt strike
pakistan
cyber espionage
vbscript
lnk files
2024-10-24
engineering
hong kong
defense sector
Published: October 24, 2024
Downloadable IOCs: 0

Water Makara Uses Obfuscated JavaScript in Spear Phishing Campaign Targeting Brazil With Astaroth Malware

Water Makara, a threat actor group, is targeting enterprises in Brazil with a spear phishing campaign using the Astaroth banking malware. The attackers employ obfuscated JavaScript to bypass security defenses, often impersonating official tax documents to trick users. The campaign primarily affects…
brazil
lnk files
2024-10-15
astaroth
spear phishing
domain generation algorithm
tax documents
obfuscated javascript
banking malware
Published: October 15, 2024
Downloadable IOCs: 0

The Open-Source Builder Behind Malicious Loaders

MisterioLNK is a newly discovered open-source loader builder that generates LNK, BAT, CMD, and VBS loader files designed to download and execute remote files. Available on GitHub, it poses a significant challenge to security defenses due to minimal detection rates. The tool supports multiple loader…
rat
remcos rat
2024-10-08
lnk files
blankstealer
misteriolnk
loader builder
dc rat
Published: October 8, 2024
Downloadable IOCs: 0
Click here to see more Attack Reports