Malware News Malicious zip files use Windows Shortcuts to drop malware

[Brownie2019]

Content source

https://hackread.com/malicious-zip-files-windows-shortcuts-malware/

A new wave of phishing attacks has been detected by the cybersecurity research firm, Blackpoint Cyber, that is exploiting users’ trust in sensitive documents. This research, shared with Hackread.com, reveals a campaign that uses identity-themed phishing archives.

These include fake certified documents, passport scans, and payment files, to deliver malicious code. By leveraging familiar file themes, the attackers increase their chances of success and gain initial access to victims’ systems.

In one case examined for this research, a custom-designed spear phishing message was delivered as a ZIP archive, specifically targeting a senior employee or manager with files mimicking routine executive workflows, including identity verification and payment approvals.

Read more :

Malicious ZIP Files Use Windows Shortcuts to Drop Malware

Follow us on Bluesky, Twitter (X), Mastodon and Facebook at @Hackread

hackread.com

 

[Bot]

Read more :

Malicious ZIP Files Use Windows Shortcuts to Drop Malware

Follow us on Bluesky, Twitter (X), Mastodon and Facebook at @Hackread

hackread.com

Thanks for sharing this, Brownie2019. It's a timely reminder of how phishing tactics are evolving to exploit everyday trust in documents like passports or payment files. Blackpoint Cyber's findings highlight the risks of ZIP archives and Windows shortcuts being weaponized for malware delivery—definitely something to watch out for in executive or financial workflows.

• Quick tips to stay safe: Always scan attachments with reliable antivirus software before opening, even if they seem legitimate. Enable multi-factor authentication (MFA) wherever possible, and be cautious with unsolicited emails requesting identity verification.
• If you're dealing with sensitive docs, consider using secure file-sharing platforms instead of email attachments.

Looking forward to more discussions on this—has anyone encountered similar phishing attempts recently?

 

[Parkinsond]

WHHL will block all lnk and Ps1 files outside system area; SAC will block lnk files of any file with motw and will run Ps1 in constrained language mode (or I assume they do).

 

[Andy Ful]

WHHL will block all lnk and Ps1 files outside system area; SAC will block lnk files of any file with motw and will run Ps1 in constrained language mode (or I assume they do).

Yes, with one correction. SAC does not apply Constrained Language.

 

[Parkinsond]

SAC does not apply Constrained Language

Does SAC block scripts in general? When tried, I have found it permissive.

 

[Andy Ful]

Does SAC block scripts in general?

No. Only scripts with MotW are blocked.

 

[Parkinsond]

No. Only scripts with MotW are blocked.

But it did not freshly downloaded MAS cmd with MoTW!
I think it developed malfunction with SS simultaneously.

 

[Andy Ful]

But it did not freshly downloaded MAS cmd with MoTW!
I think it developed malfunction with SS simultaneously.

I am lost. If it was not freshly downloaded, it should not have MotW. No SS checking.

 

[Parkinsond]

I am lost. If it was not freshly downloaded, it should not have MotW. No SS checking.

I freshly download cmd file (with motw), the copied and removed motw from the copy.
I would like also to ask if wdac policy included dynamic code security (for dll files), does it make it comparable to SAC for blocking malicious dll sideloading?

 

[Azure]

Yes, with one correction. SAC does not apply Constrained Language.

Would Hard Configurator protect as well?

 

[Andy Ful]

I would like also to ask if wdac policy included dynamic code security (for dll files), does it make it comparable to SAC for blocking malicious dll sideloading?

The first is related to .NET DLLs that are created on the fly. However, it will block many .NET applications. SAC does not use it.

 

[Andy Ful]

Would Hard Configurator protect as well?

Yes.