Cyber Security News

APT-C-53 Weaponizing LNK Files To Deploy Malware Into Target Systems

Gamaredon, a persistent threat actor since 2013, targets the government, defense, diplomacy, and media sectors of their victims, primarily through cyberattacks, to gain sensitive information and disrupt operations.

It continues to employ sophisticated tactics, leveraging malicious LNK and XHTML files alongside intricate phishing schemes to carry out cyberattacks.

Phishing emails with four distinct attack payloads aimed to trick users into executing malicious attachments or compressed files, allowing attackers to infiltrate target systems and deploy malware for further nefarious actions.

Attack Flowchart

By using spear-phishing emails with malicious LNK attachments, it targets government and key organizations, which, when executed, abused mshta.exe to remotely download and run malicious code.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar

Malicious actors use booby-trapped XHTML attachments to download compressed files containing weaponized LNK shortcuts, which exploit mshta.exe to deliver additional malware payloads, with communication facilitated by IP addresses and trycloudflare.com. 

Example of decoded malicious code

Gamaredon APT uses obfuscated HTML emails to deliver LNK files by leveraging mshta.exe or PowerShell to download malicious payloads from trycloudflare.com or fixed IP addresses. 

The downloaded scripts, often PowerShell, communicate with the C2 server, sending system information and potentially executing further commands based on the response. 

It uses two main infection methods: emails with compressed files containing decoy PDFs and malicious HTAs, and compressed files with LNKs that drop PowerShell scripts persisting on registry startup. 

Malicious code example

The entry module initiates two background jobs: one for communication with the C2 server and another for scanning removable disks, which retrieves C2 IP, gathers system information, sends it to the C2 server, and executes received commands, either directly or through a dedicated module.

The “Get C2 Module” attempts to retrieve a command and control server IP through various methods (domain resolution, URL fetching, DNS lookup) and saves it to a hidden file, where the “code execution module” decrypts a hidden payload using the system serial number and executes it in the background. 

Code Execution Module Code Example

Gamaredon Group’s malware scans removable disks, creates shortcuts to execute PowerShell scripts, encodes PowerShell scripts in the registry, and modifies the registry for persistent startup, enabling automatic execution and maintaining persistent infection.

Tracked by 360 Advanced Threat Research Institute, it continues its malicious activities, employing techniques previously seen in past attacks, as the analysis reveals a portion of their ongoing operations, highlighting the persistent threat posed by this APT group.

To enhance email, system, and terminal security, deploy advanced email gateways to filter malicious attachments and phishing emails, implement robust log monitoring and analysis, and ensure all devices have up-to-date antivirus and antimalware software.

Analyse Real-World Malware & Phishing Attacks With ANY.RUN - Get up to 3 Free Licenses

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Zoom Workplace Apps Vulnerability Enables Malicious Script Injection Through XSS Flaws

A newly disclosed vulnerability in Zoom Workplace Apps (tracked as CVE-2025-27441 and CVE-2025-27442) allows attackers…

1 hour ago

Fortinet Warns of Multiple Vulnerabilities in FortiAnalyzer, FortiManager, & Other Products

Fortinet has revealed and resolved several vulnerabilities within its range of products, such as FortiAnalyzer,…

2 hours ago

Ivanti Released Security Update With The Fixes for Critical Endpoint Manager RCE Vulnerabilities

Ivanti, a prominent enterprise software provider, has issued an urgent security advisory today addressing multiple…

2 hours ago

Over 5,000 Ivanti Connect Secure Devices Exposed to RCE Vulnerabilities

Over 5,000 Ivanti Connect Secure devices remain vulnerable to a critical remote code execution (RCE)…

4 hours ago

CISA Alerts on Actively Exploited CrushFTP Authentication Bypass Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about an actively…

4 hours ago

Over 26,000 Dark Web Discussions Focused on Hacking Financial Organizations

Radware’s comprehensive research into the cybersecurity landscape has uncovered significant trends shaping the financial services…

4 hours ago