LNK-Based Malware Campaigns Deliver PlugX and Custom .NET RAT
Researchers documented two separate but related LNK-driven intrusion chains that used shortcut files as the initial lure to fetch additional malware from attacker-controlled infrastructure. In one campaign targeting organizations in the Arabian Gulf region, a China-nexus threat actor used a Middle East conflict-themed ZIP archive containing an LNK file that downloaded a malicious CHM file and ultimately deployed a PlugX backdoor. The infection chain progressed through a second LNK, a TAR archive, DLL sideloading, and a shellcode loader before installing PlugX with persistence under a fake Microsoft Display Broker path and service name. The malware used RC4-encrypted components, API hooking, reflective DLL loading, corrupted PE headers, and support for TCP, HTTPS, UDP, and DoH communications, with a decrypted command-and-control endpoint at 91.193.17[.]117:443 and plugins for keylogging, shell access, screen capture, registry, service, and network operations.
A second investigation exposed a live LNK-to-DLL-to-.NET RAT operation staged from an open Apache directory on wildishadventure[.]com/secure9/ and 171.22.182[.]231/secure9/, where researchers recovered weaponized LNK files, custom DLL downloaders, backup files, and a final payload named RemoteMgmt.Agent.exe. That chain abused the legacy ActiveXObject('htmlfile') technique to force Windows to retrieve DLLs over UNC paths, then delivered a custom .NET 4.8 remote access trojan that supported command execution, token-based authentication, JSON-over-raw-TCP C2 over port 443, reconnect-based persistence, and logging to %TEMP%\rmgmt_agent.log. Operational security failures including exposed directory indexing, .old backups, test builds, and unstripped internal names allowed investigators to reconstruct the malware’s development workflow and identify infrastructure spanning BlueVPS, Namecheap, and Cloudflare.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Researchers uncover exposed open directory with live multi-stage RAT campaign
By April 2, 2026, investigators had uncovered an open Apache directory at wildishadventure[.]com/secure9/ and 171.22.182[.]231/secure9/ exposing weaponized LNK files, custom DLL downloaders, backups, and a live .NET RAT payload. The exposed files and infrastructure let researchers reconstruct the full attack chain and recover indicators of compromise.
Attackers begin active development of BlueVPS-hosted LNK-to-RAT chain
Evidence from exposed infrastructure showed the LNK-to-DLL-to-.NET RAT malware stack was actively developed between March 24 and April 1, 2026. Researchers found test builds, backup files, and related components indicating iterative development and staging on BlueVPS and associated hosting.
Threat actor launches PlugX attack themed on Middle East conflict
On March 1, 2026, ThreatLabz identified an attack chain targeting the Arabian Gulf region that used a ZIP archive with an LNK file, a malicious CHM, and subsequent stages to deploy a PlugX backdoor variant. The lure included an Arabic decoy PDF referencing Iranian missile strikes against a U.S. base in Bahrain.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
One Open Directory, 12 Samples, and a Live RAT: Dissecting a LNK-to-DLL-to-.NET Attack Chain Staged on BlueVPS - Breakglass Intelligence - Breakglass Intelligence
intel.breakglass.tech
Open sourceChina-nexus Group Targets Arabian Gulf Region | ThreatLabz
zscaler.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Phishing campaigns using Windows LNK files and PowerShell loaders to deliver RATs and ransomware
Multiple recent intrusion reports describe **phishing-led Windows compromises** that rely on **weaponized `.LNK` shortcuts** to trigger **obfuscated PowerShell** execution, display decoy documents, and then fetch additional payloads from public cloud/code platforms. In South Korea, attackers distributed an LNK disguised as financial trading guidance that opens a decoy PDF while running PowerShell; subsequent stages perform anti-analysis/virtualization checks, establish persistence, and retrieve a masked executable from **GitHub** that decrypts code at runtime to run **MoonPeak** malware. Researchers assessed the activity as likely **North Korea–linked** based on GitHub commit metadata and naming patterns. A separate Russia-targeted campaign used business-themed archives containing decoy documents and a malicious LNK to pull a PowerShell loader that establishes persistence and then weakens defenses (including **Microsoft Defender exclusion changes** and use of **`defendnot`**), performs reconnaissance, and tampers with system tooling and file associations before deploying **Amnesia RAT** (fetched from **Dropbox**) and a **Hakuna Matata–derived ransomware** payload for encryption. By contrast, reporting on **KazakRAT** describes a different espionage operation in Kazakhstan/Afghanistan delivered via malicious **MSI** installers and using simple, unencrypted HTTP C2; it is not part of the LNK/PowerShell delivery chains described in the other incidents.
Mar 21, 2026
Threat actors abuse shortcut files and legitimate RMM tools to gain persistent access to Windows systems
Threat actors are increasingly relying on *living-off-the-land* techniques and trusted tooling to establish persistent access on Windows endpoints. One campaign used weaponized Windows shortcut (`.LNK`) files disguised as investment-related PDFs to deliver **MoonPeak**, a remote access trojan assessed as a **XenoRAT** variant and linked to North Korea–aligned activity targeting South Korean investors and cryptocurrency traders. Opening the `.LNK` launches an obfuscated PowerShell-driven, multi-stage infection chain while displaying a decoy PDF; analysis also tied payload hosting to attacker-controlled GitHub repositories, reflecting “Living Off Trusted Sites (LOTS)” tradecraft. A separate dual-wave intrusion chain used phishing emails masquerading as *Greenvelope* invitations to steal webmail credentials (e.g., Outlook, Yahoo, AOL), then used the compromised accounts to register for and silently deploy **LogMeIn Resolve** (formerly *GoTo Resolve*) for persistent remote access. The installer (`GreenVelopeCard.exe`) was described as signed and configured to connect to attacker-controlled infrastructure, with follow-on actions including modifying service settings for elevated access and creating hidden scheduled tasks for resilience. Related threat intelligence reporting also highlighted broader “rogue RMM” abuse trends, including **Remcos** and **NetSupport Manager** delivery via paste-and-run lures and PowerShell/`cmd` execution chains (including use of the `finger` utility to fetch remote payloads), underscoring that adversaries are operationalizing legitimate remote administration software as a stealthy backdoor mechanism.
Mar 21, 2026
Windows Malware Campaigns Using Social Engineering and Legitimate Platforms to Deliver RATs, Stealers, and Proxyware
Multiple research reports detailed **Windows-focused malware delivery chains** that rely on social engineering and abuse of legitimate services to blend into normal enterprise traffic. FortiGuard Labs described a **multi-stage campaign targeting users in Russia** that starts with business-themed decoy documents and scripts, then escalates to security-control bypass and surveillance before deploying **Amnesia RAT** and ultimately **ransomware** with widespread file encryption. A notable technique in that intrusion is the abuse of **Defendnot** (a Windows Security Center trust-model research tool) to **disable Microsoft Defender**, while payloads are hosted modularly across public cloud services (e.g., **GitHub** for scripts and **Dropbox** for binaries) to improve resilience and complicate takedowns. Separately, ReliaQuest reported attackers using **LinkedIn private messages** to build trust with targets and deliver a **WinRAR SFX** that triggers **DLL sideloading** via a legitimate PDF reader, then establishes persistence (Registry `Run` key) and executes **Base64-encoded shellcode in-memory** to load a RAT-like payload. Trend Micro and Koi Security documented **Evelyn Stealer**, which weaponizes **malicious VS Code extensions** to drop a downloader DLL (e.g., `Lightshot.dll`), run hidden PowerShell to fetch `runtime.exe`, and inject the stealer into `grpconv.exe`, exfiltrating data (credentials, cookies, wallets, screenshots, Wi‑Fi credentials) to `server09.mentality[.]cloud` over FTP. AhnLab ASEC also reported **proxyjacking** activity in South Korea attributed to **Larva‑25012**, distributing **proxyware disguised as a Notepad++ installer** and evolving evasion (e.g., injecting into Windows Explorer and using Python-based loaders) to monetize victims’ bandwidth via unauthorized proxyware installation.
Mar 21, 2026