50% Increase in LNK File Exploits Across Four Major Malware Types

The cyber threat landscape is evolving fast as attackers increasingly exploit Windows shortcut (.lnk) files to deliver malware.

Recent telemetry shows a sharp rise in malicious LNK samples: from 21,098 in 2023 to a staggering 68,392 in 2024, a surge of over 200%.

Our in-depth investigation of 30,000 new LNK malware samples reveals four primary attack types, employing increasingly sophisticated techniques with broad implications for both security professionals and everyday Windows users.

LNK Files – An Attractive Target for Malware

Windows LNK files, commonly known as shortcuts, provide users with direct access to files, folders, or applications, often sitting innocuously on desktops or in download folders.

Their flexibility makes them attractive for attackers LNK files can execute arbitrary content and are easily disguised with familiar icons and filenames.

Malicious LNK files are particularly dangerous because Windows hides the “.lnk” extension in Explorer, making them appear as legitimate documents or utilities.

When unsuspecting users double-click, thinking they’re opening a text file or PDF, they may launch a hidden script or executable.

Four Major Categories of LNK Malware

Our analysis classifies LNK malware into four primary categories based on attack technique:

1. Exploit Execution:
   These LNK files are crafted to exploit vulnerabilities in Windows, such as the notorious CVE-2010-2568. They can trigger the vulnerability just by being viewed in a folder, without requiring users to double-click.
2. Malicious File Execution:
   LNK files may simply point to and execute a malicious payload already on disk, or leverage trusted system tools like powershell.exe, wscript.exe, or rundll32.exe to trigger hidden malware.
3. In-Argument Script Execution:
   Here, attackers embed malicious scripts directly in the command-line arguments field. The shortcut launches interpreters (often PowerShell or cmd) with these arguments, allowing highly obfuscated, encoded payloads to run, sometimes downloading and executing additional binaries on the fly.
4. Overlay Content Execution:
   Sophisticated LNK malware embeds additional payloads, such as base64-encoded scripts, binaries, or even HTML Application (HTA) files as “overlay” data appended to the shortcut. Custom command-line arguments then extract and execute this hidden content using tools like findstr, mshta.exe, or PowerShell intrinsic commands.

Vigilance and Detection Remain Critical

Nearly all malicious LNK files analyzed contained suspicious target paths, unusual command-line arguments, or referenced system utilities in ways rarely seen in legitimate shortcuts.

Security experts advise users to right-click and inspect shortcut properties, focusing on the “Target” field for long strings, references to scripts, system tools, or unknown locations.

As LNK-based threats proliferate, leveraging advanced security solutions such as next-generation firewalls, endpoint detection, and real-time exploit prevention is essential.

Awareness and caution can help regular users avoid falling victim to these increasingly common attack vectors. Cybersecurity organizations urge everyone to scrutinize unfamiliar shortcuts and think before clicking.

Indicators of Compromise

The following are SHA256 hashes of the LNK malware samples reviewed in this article:

• a90c87c90e046e68550f9a21eae3cad25f461e9e9f16a8991e2c7a70a3a59156
• 08233322eef803317e761c7d380d41fcd1e887d46f99aae5f71a7a590f472205
• 9d4683a65be134afe71f49dbd798a0a4583fe90cf4b440d81eebcbbfc05ca1cd
• a89b344ac85bd27e36388ca3a5437d8cda03c8eb171570f0d437a63b803b0b20