Rise of LNK (Shortcut files) Malware

Authored by Lakshya Mathur

An LNK file is a Windows Shortcut that serves as a pointer to open a file, folder, or application. LNK files are based on the Shell Link binary file format, which holds information used to access another data object. These files can be created manually using the standard right-click create shortcut option or sometimes they are created automatically while running an application. There are many tools also available to build LNK files, also many people have built “lnkbombs” tools specifically for malicious purposes.

During the second quarter of 2022, McAfee Labs has seen a rise in malware being delivered using LNK files. Attackers are exploiting the ease of LNK, and are using it to deliver malware like Emotet, Qakbot, IcedID, Bazarloaders, etc.

Figure 1 – Apr to May month geolocation of the LNK attacks

In this blog, we will see how LNK files are being used to deliver malware such as Emotet, Qakbot, and IcedID.

Below is a screenshot of how these shortcut files look to a normal user.

Figure 2 _ LNK files as seen by a normal user


With Microsoft disabling office macros by default malware actors are now enhancing their lure techniques including exploiting LNK files to achieve their goals.

Threat actors are using email spam and malicious URLs to deliver LNK files to victims. These files instruct legitimate applications like PowerShell, CMD, and MSHTA to download malicious files.

We will go through three recent malware campaigns Emotet, IcedID, and Qakbot to see how dangerous these files can be.




Figure 3 _Emotet delivered via LNK ..

Support the originator by clicking the read the rest link below.