Saturday, May 31, 2025
HomeCyber Security NewsHackers Switching from Weaponized Office Documents to CHM & LNK Files

Hackers Switching from Weaponized Office Documents to CHM & LNK Files

Published on

SIEM as a Service

Follow Us on Google News

Malware distribution methods have changed significantly in the cyber threat landscape. Data analysis shows that Microsoft Office document files are no longer the preferred medium for delivering malware. 

Cybercriminals are using more complex and elusive methods, such as alternative file formats and evasive techniques, reads the ASEC report.

Document
FREE Demo

Deploy Advanced AI-Powered Email Security Solution

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware

- Advertisement - Google News

The New Trend

MS Office document files have been used for a long time to spread malware, from simple information stealers to sophisticated APT attacks. 

However, there is a clear change in how malware is delivered, affecting the role of MS Office products in this scenario.

In the past, attackers used macros in Word and Excel documents to download more malware from malicious URLs. 

However, this method has changed to using compressed executables in formats like ZIP, R00, GZ, and RAR or disk image files like IMG as email attachments. 

This means that fewer Word and Excel files contain malware through hidden Office VBA macro code or Excel 4.0 (XLM) macros.

1-1. CHM (Windows Help Files)

There was a big increase in the use of Windows Help files (*.chm) to distribute malware in the second quarter of 2022. 

This happened at the same time as the decrease in the use of Word and Excel files for malware distribution. 

This shows that attackers are using different file formats that are not part of the MS Office suite to target users. 

These CHM files often have catchy names, such as ‘COVID-19 Positive Test Results Notice,’ to attract users’ attention.

1-2. LNK (Shortcut Files)

In the second quarter of 2022, the notorious Emotet malware also changed its distribution method from MS Office products to LNK files

Emotet had previously used VBA macro codes and Excel 4.0 (XLM) macros to spread malware, so this change is important for anti-malware solutions. 

The background of these attacks suggests that the same attacker switched from MS Office to LNK files, following a similar pattern as the malicious CHM distribution process.

The change from using Word and Excel files to deliver malware has two benefits for cybercriminals. 

It makes it harder to detect malware in document editing programs by static analysis, and it also makes it harder to identify the malware itself. 

Attackers are using normal Windows processes and running malware without creating any files when they load malicious data, which makes it more difficult for security measures.

MS Office files are less used for distributing malware due to Microsoft’s announcement in early to mid-2021 about disabling Excel macros by default.

As a result, attackers have looked for new ways to avoid detection by anti-malware products.

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Attackers Exploit Microsoft Entra Billing Roles to Escalate Privileges in Organizational Environments

A startling discovery by BeyondTrust researchers has unveiled a critical vulnerability in Microsoft Entra...

Threat Actors Exploit Google Apps Script to Host Phishing Sites

The Cofense Phishing Defense Center has uncovered a highly strategic phishing campaign that leverages...

Dadsec Hacker Group Uses Tycoon2FA Infrastructure to Steal Office365 Credentials

Cybersecurity researchers from Trustwave’s Threat Intelligence Team have uncovered a large-scale phishing campaign orchestrated...

Beware: Weaponized AI Tool Installers Infect Devices with Ransomware

Cisco Talos has uncovered a series of malicious threats masquerading as legitimate AI tool...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Attackers Exploit Microsoft Entra Billing Roles to Escalate Privileges in Organizational Environments

A startling discovery by BeyondTrust researchers has unveiled a critical vulnerability in Microsoft Entra...

Threat Actors Exploit Google Apps Script to Host Phishing Sites

The Cofense Phishing Defense Center has uncovered a highly strategic phishing campaign that leverages...

Dadsec Hacker Group Uses Tycoon2FA Infrastructure to Steal Office365 Credentials

Cybersecurity researchers from Trustwave’s Threat Intelligence Team have uncovered a large-scale phishing campaign orchestrated...