Phishing Attack Uses LNK Files in ZIPs to Drop Malware

Cyber Security News by CyberSum.net

Published on October 2, 2025 at 03:00 PM

2 sources

A new phishing campaign is using ZIP archives disguised as sensitive documents like passports and payment files to deliver malware. Inside the archives are malicious Windows shortcut (.lnk) files that, when clicked, execute a hidden PowerShell script. This script downloads a malicious DLL, cleverly mislabeled as a presentation file, from a remote server. The attack employs a "living-off-the-land" technique by using the legitimate Windows tool `rundll32.exe` to run the malware, helping it evade detection. The malware also checks for common antivirus programs to deploy a stealthier variant if needed before establishing a command-and-control connection.

Also Read

Cybercrime Group UAT-8099 Targets IIS Servers

A cybercrime group identified as UAT-8099 is compromising Internet Information Services (IIS) servers in several regions to manipulate search results and steal sensitive data. The attackers use custom malware like BadIIS to gain and maintain persistent access, often going undetected for long periods. Their objectives include both financial gain from search engine optimization manipulation and espionage through the theft of credentials and certificates. The group also takes steps to secure its access, preventing other threat actors from taking over the compromised servers. Security teams should audit IIS environments for unauthorized web shells, suspicious remote access, and other indicators of compromise.

By Cyber Security News by CyberSum.netOctober 3, 2025 at 03:00 PM