New Research Explores the World of Malicious LNK Files and Their Hackers

Cybercriminals are increasingly utilizing malicious LNK files as a point of entry to download and execute payloads such as Bumblebee, IcedID, and Qakbot.

A recent study by cybersecurity experts demonstrated that it is possible to identify relationships between different threat actors by analyzing the metadata of malicious LNK files, revealing information such as the specific tools and techniques used by different groups of cybercriminals as well as potential links between attacks that appear to be unrelated.

In a report shared with The Hacker News, Cisco Talos researcher Guilherme Venere stated, “With the increasing use of LNK files in attack chains, it is logical that threat actors have begun developing and employing tools to create such files.”

This includes applications such as NativeOne’s mLNK Builder and Quantum Builder, which permit users to generate malicious shortcut files and circumvent security solutions.

Bumblebee, IcedID, and Qakbot are among the major malware families that have used LNK files for initial access, with Talos identifying connections between Bumblebee and IcedID and Bumblebee and Qakbot by examining the metadata of the artifacts.

Multiple samples of LNK files that led to IcedID and Qakbot infections, as well as those used in various Bumblebee campaigns, were discovered to share the same Drive Serial Number.

In their attacks against Ukrainian government entities, advanced persistent threat (APT) groups such as Gamaredon (aka Armageddon) have also utilized LNK files.

As a result of Microsoft’s decision to disable macros by default in Office documents downloaded from the Internet, threat actors have adopted alternative attachment types and delivery mechanisms to distribute malware, as evidenced by the increase in campaigns employing malicious shortcuts.

Recent analyses by Talos and Trustwave have revealed that both APT actors and generic malware families are using Excel add-in (XLL) files and Publisher macros to drop remote access trojans on compromised systems.

Moreover, threat actors have been observed leveraging rogue Google Ads and search engine optimization (SEO) poisoning to distribute off-the-shelf malware such as BATLOADER, IcedID, Rhadamanthys Stealer, and Vidar to victims searching for a variety of legitimate software.

BATLOADER is capable of installing additional malware, including Cobalt Strike, Qakbot, Raccoon Stealer, RedLine Stealer, SmokeLoader, Vidar, and ZLoader. BATLOADER is associated with an intrusion set identified by Trend Micro as Water Minyades.

“Attackers imitate the websites of popular software projects to deceive victims into infecting their computers and purchasing search engine advertisements to drive traffic there,” said HP Wolf Security researcher Patrick Schlapfer.

Why Trust Us?

Best Top Reviews Online was established in 2018 to provide our readers with detailed, truthful, and impartial advice on what to buy. We now have millions of monthly users from all over the world and annually evaluate over a thousand products.

The above article was written by the BestTopReviewsOnline team, which consists of some of the most knowledgeable technical experts in the United States. Our team consists of highly regarded writers with vast experience in smartphones, computer components, technology apps, security, and photography, among other fields.

Related Stories

  • All Post
  • Best Picks
  • Explainers
  • How To
  • News
  • Versus

Get more info



Best Products

Buying Guides

Contact Us

About Us

We provide a platform for our customers to rate and review services and products, as well as the stores that sell them. We research and compare the most popular brands and models before narrowing it down to the top ten, providing you with the most comprehensive and reliable buying advice to help you make your decision.

Disclaimer is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to As an Amazon Associate I earn from qualifying purchases.


Address & Map

20 S Santa Cruz Ave, Suite 300, Los Gatos, CA 95030, United States

© 2022 Pty. Ltd. All Rights Reserved. Licensing: All third-party trademarks, images, and copyrights used on this page are for comparative advertising, criticism, or review. As this is a public forum where users can express their opinions on specific products and businesses, the opinions expressed do not reflect those of