Read more :
Malicious ZIP Files Use Windows Shortcuts to Drop Malware
Follow us on Bluesky, Twitter (X), Mastodon and Facebook at @Hackread
hackread.com
Malicious zip files use Windows Shortcuts to drop malware
- Thread starter Brownie2019
- Start date
hackread.com
Thanks for sharing this, Brownie2019. It's a timely reminder of how phishing tactics are evolving to exploit everyday trust in documents like passports or payment files. Blackpoint Cyber's findings highlight the risks of ZIP archives and Windows shortcuts being weaponized for malware delivery—definitely something to watch out for in executive or financial workflows.Read more :
Malicious ZIP Files Use Windows Shortcuts to Drop Malware
Follow us on Bluesky, Twitter (X), Mastodon and Facebook at @Hackread
- Quick tips to stay safe: Always scan attachments with reliable antivirus software before opening, even if they seem legitimate. Enable multi-factor authentication (MFA) wherever possible, and be cautious with unsolicited emails requesting identity verification.
- If you're dealing with sensitive docs, consider using secure file-sharing platforms instead of email attachments.
Looking forward to more discussions on this—has anyone encountered similar phishing attempts recently?
WHHL will block all lnk and Ps1 files outside system area; SAC will block lnk files of any file with motw and will run Ps1 in constrained language mode (or I assume they do).
Yes, with one correction. SAC does not apply Constrained Language.
Does SAC block scripts in general? When tried, I have found it permissive.
No. Only scripts with MotW are blocked.
But it did not freshly downloaded MAS cmd with MoTW!
I think it developed malfunction with SS simultaneously.
I am lost. If it was not freshly downloaded, it should not have MotW. No SS checking.
I freshly download cmd file (with motw), the copied and removed motw from the copy.
I would like also to ask if wdac policy included dynamic code security (for dll files), does it make it comparable to SAC for blocking malicious dll sideloading?
The first is related to .NET DLLs that are created on the fly. However, it will block many .NET applications. SAC does not use it.
Attackers are actively exploiting this vulnerability in Windows for which no security update is available, according to security firm Arctic Wolf. The vulnerability is believed to have been used in attacks against European diplomats, including those in Belgium. The vulnerability (CVE-2025-9491) occurs during the processing of .LNK files. Specially crafted data within the .LNK file prevents dangerous command line arguments from being visible when users inspect the file.
Why does MS not address this.
Why does MS not address this.
If you have script files blocked outside system space (such as using WHHL or AppLocker), the execution chain will be disrupted.Attackers are actively exploiting this vulnerability in Windows for which no security update is available, according to security firm Arctic Wolf. The vulnerability is believed to have been used in attacks against European diplomats, including those in Belgium. The vulnerability (CVE-2025-9491) occurs during the processing of .LNK files. Specially crafted data within the .LNK file prevents dangerous command line arguments from being visible when users inspect the file.
Why does MS not address this.
Blocking script files can block many attacks. However, it seems that in this particular attack, PowerShell CmdLines are used directly from the shortcut (no script file).
One has to block shortcuts in UserSpace (like SWH in WHHLight) to fully prevent the attack. AppLocker and WDAC can mitigate the attack by blocking DLL hijacking (side-loading).
In terms of prevention:
It should also be noted that anyone who opens such a long link in an email without scanning it first... deserves to be infected.
Google Safe Browsing blocks it.
VirusTotal
It should also be noted that anyone who opens such a long link in an email without scanning it first... deserves to be infected.
Google Safe Browsing blocks it.
VirusTotal
@Parkinsond
Yes blocking powershell.exe should block the infection chain at the start for that sample.
Tried to run the .lnk file from inside the .zip file (double-click on it):
Then have disabled all rules except "Block execution of powershell.exe" and it was blocked too:
The .lnk malware sample file can be found on MalwareBazaar with SHA256 hash:
911cccd238fbfdb4babafc8d2582e80dcfa76469fa1ee27bbc5f4324d5fca539
Yes blocking powershell.exe should block the infection chain at the start for that sample.
Tried to run the .lnk file from inside the .zip file (double-click on it):
Then have disabled all rules except "Block execution of powershell.exe" and it was blocked too:
The .lnk malware sample file can be found on MalwareBazaar with SHA256 hash:
911cccd238fbfdb4babafc8d2582e80dcfa76469fa1ee27bbc5f4324d5fca539
Last edited:
Yes, in this example. Of course, the attackers are not obliged to use PowerShell. Similar attacks can be done by using other script engines and some LOLBins.
PowerShell is the most popular.
You may also like...
-
New Multi-Stage Windows Malware Disables Microsoft Defender Before Dropping Malicious Payloads- Started by Brownie2019
- Replies: 6
-
Hackers Weaponize SVG Files and Office Documents to Target Windows Users
- Started by Brownie2019
- Replies: 2
-
Transparent Tribe Launches New RAT Attacks Against Indian Government and Academia- Started by Captain Awesome
- Replies: 2
-
Malicious 7-Zip site distributes installer laced with proxy tool- Started by Parkinsond
- Replies: 35
-
Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection
- Started by Brownie2019
- Replies: 12