Malware Analysis Who Needs Macros? Threat Actors Pivot to Abusing Explorer and Other LOLBins via Windows Shortcuts


Thread author
Staff Member
Malware Hunter
Jul 27, 2015
Quote: " This article discusses Windows shortcuts (LNK files) as a medium to deploy malware and/or establish persistence. In the initial stages of an attack, threat actors are gravitating more towards the use of malicious shortcuts that deploy malware by executing code in the context of so-called living-off-the-land binaries (LOLbins) – legitimate executables that are readily available on Windows systems, such as powershell.exe or mshta.exe – to bypass detection. Threat actors conveniently build malicious LNK files with Windows system capabilities or tools specifically designed for that purpose, and then distribute the files to victims, usually through phishing emails.

Because of these advantages, threat actors are widely abusing shortcuts. Since Microsoft’s announcement that Office applications will by default disable the execution of Office macros in the context of documents that originate from untrusted sources, there has been a significant uptick in malicious actors using alternative mediums for deploying malware, such as malicious Windows Apps and shortcuts (LNK files). We covered malicious Windows Apps in a previous article. In this article, we focus on malicious shortcuts and provide:
  • Insights about execution chains that originate from malicious shortcuts. We base our insights on an analysis of 27510 malicious LNK file samples from VirusTotal that are representative of the current malicious shortcut landscape.
  • An overview of active widespread attack campaigns that involve malicious shortcuts and of the dynamics of the cybercrime market for tools that build malicious LNK files.
  • A summarizing overview of the system activities that take place when a user executes a malicious shortcut. This enables a better and generic understanding of what occurs on a system when a user falls prey to an attack that involves a malicious LNK file.

Current Developments in the Malicious Shortcut Threat Scene

Given the popularity of LNK files among threat actors, the dynamics of the cybercrime market for tools has quickly adjusted to serve the demand for tools that build malicious LNK files in a configurable and convenient manner. We spotlight in this section the mLNK and QuantumBuilder tools for building malicious LNK files. We observed that these tools have recently received updates and are currently being intensively advertised in the cybercrime web space.


The mLNK tool – released by NativeOne, a tool vendor on the cybercrime scene – is known for its configurability and ease of use. NativeOne released the newest version of the tool, version 4.2, in June 2022. We observed an intensive advertising campaign for the new mLNK version on cybercrime forums and market places. The new mLNK version brings new features that enable building LNK files that can evade Windows detection mechanisms, such as Microsoft Defender SmartScreen. The public release of mLNK currently sells for a basic price of $100 per month. NativeOne also sells a private release of mLNK 4.2 for $125.00, which bundles more evasion mechanisms than the $25.00 cheaper public release of the tool. "


Quote: "

Active Attack Campaigns Leveraging Shortcuts

A number of widespread attack campaigns that involve malicious shortcuts are active at the time of writing this article:
  • Threat actors have started intensively distributing the major malware families QBot, Emotet, IcedID, and Bumblebee through LNK files since the second quarter of 2022. These malware families are capable of deploying additional malware on compromised systems, including destructive ransomware. In addition, the Threat Analysis Group (TAG) at Google has observed Exotic Lily, an initial access broker (IAB) for ransomware actors, distributing malicious LNK files to infect systems.
  • Threat actors have been massively deploying the Raspberry Robin worm on systems through malicious LNK files since September 2021. These attacks specifically involve infected USB media, containing malicious LNK files.
  • There are several Ukraine-themed attack campaigns as well as attack campaigns specifically targeting Ukrainian systems that are active since the second quarter of 2022. The Armageddon threat group, which the Security Service of Ukraine identifies as a unit of the Federal Security Service of the Russian Federation, has been distributing malicious LNK files through targeted phishing emails. The malicious LNK files deploy the GammaLoad.PS1_v2 malware on compromised systems. There are also other Ukraine-themed malicious LNK files currently in circulation. In addition, the GlowSand attack campaign includes malicious LNK files that download payloads from attacker-controlled endpoints that respond only to requests from systems with Ukrainian IP addresses. "
Full source:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.