A shortcut to malware: cyber pros warn of hackers dropping backdoors via LNK files

Published: 4 August 2025
Last updated: 4 August 2025
remcos, scam
Image by Cybernews.

The file appears as an innocent link to a PDF or a Word document, complete with the familiar icon. When viewed in Windows Explorer, there’s nothing to indicate that it’s malicious. But if clicked, it will drop a dangerous REMCO backdoor or other malware.

Security firm Point Wild’s Lat61 Threat Intelligence Team has warned about hackers targeting Windows users with malicious link (LNK) files that deliver the dangerous REMCOS backdoor.

This malware can exfiltrate files, capture webcam videos and microphone audios, log keystrokes, take screenshots, and manipulate inputs. It has been previously used to elevate privileges and run arbitrary commands, granting hackers near total control over the system.

ADVERTISEMENT

Once again, LNK files take the center stage of the ongoing campaign.

“Don’t click on suspicious links or attachments,” the new report warns.

Yet, there’s almost nothing to indicate that the file is suspicious. Cybernews has previously reported that Microsoft link (LNK) files fail to present users with critical information about their true nature, and attackers are capable of hiding malicious payloads, sometimes as large as 55MB. Meanwhile, Microsoft is not addressing the problem.

“These shortcuts are disguised to look harmless, like a document, folder, or disk drive. When a user clicks on them, instead of opening a normal file, they secretly run a command,” Point Wild researchers said.

They detail many hidden paths through which hackers abuse these files to infect victims’ computers. They abuse legitimate and trusted system tools to download and run harmful code for them directly from memory without leaving any traces on the storage disk.

How do victims receive malicious link files?

Three attack vectors are the most common, and phishing emails are hackers’ favorite delivery method. Carefully crafted documents will send documents, invoices, or other files attached as link files directly, but more frequently they will be hidden inside a ZIP/RAR or other archive.

ADVERTISEMENT

However, malicious files are also frequently delivered via malicious websites or downloads.

trojan-link-properties

“Users might be tricked into downloading what appears to be a legitimate file but is actually an LNK file,” the report reads.

Hackers have also been observed placing malicious LNK files on accessible network drives. Pirated software is another common vector.

What makes the file malicious?

Typically, shortcuts (LNK files) point to another file, folder, or app for easy access. They also appear like the resource they link to, with only a small arrow in the bottom left corner indicating that they’re a shortcut.

However, hackers tweak the target field with a malicious command instead of a path to a legitimate file. The command will direct to a legitimate Windows tool, such as Command Prompt (CMD), PowerShell, mshtga.exe, or rundll32.exe, to execute malicious commands, scripts, or DLL functions.

By default, Windows hides known file extensions and “.lnk” is not visible. Hackers choose file names accordingly, i.e., “Invoice.pdf.lnk”, for victims to only see “Invoice.pdf.”

Gintaras Radauskas vilius jurgita Niamh Ancell BW
Don’t miss our latest stories on Google News.
Google News Follow us

Attackers can even abuse other LNK properties to hide their code, such as crafting a custom path to the icon file so it points to a malicious DLL or executable, triggering code execution when Windows tries to load the icon. Alternate Data Streams (ADS) is another feature to hide malicious payloads.

ADVERTISEMENT

“The victim double-clicks the disguised LNK file, believing it to be a safe document or program,“ the report reads.

“Unlike malicious Office documents, LNK files don’t trigger macro security warnings. Execution happens silently.”

Windows will execute the embedded command, which may consist of a complete malware package or just the first stage that downloads and executes malware from a remote server.

Even when viewing the properties of the malicious LNK files, the user won’t be able to spot a malicious command. The target field is limited in character count, and hackers include lengthy commands, using various obfuscation techniques to hide them.

trojan-link

“Malicious LNK shortcut files remain a serious threat because they’re easy to create, hard to detect, and trick users into running harmful commands. Since these attacks keep evolving, users should always be cautious with shortcut files, especially from emails or untrusted sources,” the researchers warn.

“Always double-check before opening attachments or clicking links to avoid infection.”

Hackers used IPs in Romania and the US

The researchers, who observed hackers delivering REMCO and spying on Windows users, have identified two servers in Romania and the US that are used for this malicious activity.

One IP address (92.82.184.33), located in Romania, is associated with the network AS9050, which is Telekom Romania Communication S.A. The domain name “shipping-hr[.]ro” has resolved to this IP address. Another IP address in the US, 198.23.251.10, tied to the “mal289re1[.]es” domain, was also connected to the campaign.

ADVERTISEMENT
Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT