EXECUTIVE SUMMARY:
A new phishing campaign is leveraging Windows .LNK shortcut files to deliver the DeerStealer malware, a tool known for stealing personal and financial data. The malicious file is disguised as a legitimate document to trick users into clicking. Once executed, it launches a multi-stage infection chain using built-in Windows tools like mshta.exe, cmd.exe, and PowerShell. This method, often referred to as “living off the land,” allows attackers to avoid detection by security software that trusts these native utilities. The .LNK file doesn’t carry the malware directly but initiates a script execution process that leads to the final payload. These scripts are heavily obfuscated using techniques such as Base64 and hex encoding, and they manipulate system paths and settings to make analysis more difficult. By disabling PowerShell logging and using dynamic paths, the attackers significantly reduce the visibility of their actions during and after the infection process.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
A new phishing campaign is leveraging Windows .LNK shortcut files to deliver the DeerStealer malware, a tool known for stealing personal and financial data. The malicious file is disguised as a legitimate document to trick users into clicking. Once executed, it launches a multi-stage infection chain using built-in Windows tools like mshta.exe, cmd.exe, and PowerShell. This method, often referred to as “living off the land,” allows attackers to avoid detection by security software that trusts these native utilities. The .LNK file doesn’t carry the malware directly but initiates a script execution process that leads to the final payload. These scripts are heavily obfuscated using techniques such as Base64 and hex encoding, and they manipulate system paths and settings to make analysis more difficult. By disabling PowerShell logging and using dynamic paths, the attackers significantly reduce the visibility of their actions during and after the infection process.[emaillocker id="1283"]
The attack unfolds through a clear five-step chain: .LNK file triggers mshta.exe, which runs a command through cmd.exe, invoking PowerShell to decode and execute a malicious script that finally drops DeerStealer. The .LNK file contains encoded instructions that hide the true intent and location of the payload. Once PowerShell is launched, it runs decoded commands entirely in memory, avoiding the creation of files that could be flagged by security tools. It also disables monitoring features like script logging. The final payload, DeerStealer, is dropped into the AppData folder. To avoid raising user suspicion, the script opens a harmless-looking PDF as a distraction. Throughout the process, the malware authors use trusted Windows binaries and encode their activity to bypass detection systems, making the attack difficult to spot without behavioral monitoring.
This campaign demonstrates how attackers can use legitimate tools and misleading file formats to deploy malware with minimal risk of detection. Traditional antivirus systems often fail to recognize threats that use native Windows processes and obfuscated scripts. The use of decoy files further increases the success rate by diverting user attention. Defenders need to focus on behavioral analysis rather than signature-based detection. Monitoring for unusual use of scripting engines and chained execution of system tools is critical. Restricting access to utilities like mshta.exe and enforcing application control policies can help prevent such attacks. Organizations should also educate users about the risks of opening unknown files, even if they appear harmless. As attackers continue to rely on stealth and trusted tools, defenders must adapt by enhancing visibility and controls around how common binaries are used in their environments.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-Technique |
| Initial Access | T1566.002 | Phishing | Spearphishing Link |
| Execution | T1204.002 | User Execution | Malicious File |
| T1059.001 | Command and Scripting Interpreter | PowerShell | |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder |
| Defense Evasion | T1218.005 | Signed Binary Proxy Execution | Mshta |
| T1027 | Obfuscated Files or Information | - | |
| T1112 | Modify Registry | - | |
| T1562.001 | Impair Defenses | Disable or Modify Tools | |
| Collection | T1005 | Data from Local System | - |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | - |
REFERENCES:
The following reports contain further technical details:
[/emaillocker]