executables

Researcher Beukema presented a method for concealing malicious command-line arguments within benign executables using LNK files. This technique allows attackers to initiate trusted Windows binaries while embedding instructions without directly referencing malware. The manipulation occurs in the LNK file's “ExtraData” section by enabling the “HasExpString” flag and configuring the “EnvironmentVariableDataBlock” with null bytes in the “TargetANSI/TargetUnicode” fields. This results in the target field becoming read-only and hiding command-line arguments, which are still passed on when the LNK is opened. This enables exploitation by allowing the execution of arbitrary commands while launching a harmless system component.