Monday, May 5, 2025
HomeMalwareNew Malicious Macro that Hijacks your Windows Desktop Shortcuts and Points to...

New Malicious Macro that Hijacks your Windows Desktop Shortcuts and Points to Download Malware

Published on

SIEM as a Service

Follow Us on Google News

Cybercriminals using a malicious macro that changes the target of Desktop Shortcuts to download malware and when the user clicks on the altered shortcut file, the malware executes.

With this new campaign, attackers used common tools like WinRAR, and Ammyy Admin to gather information instead of their own tools.

Security researchers from Trend Micro uncovered the new campaign, the malware and macro are not sophisticated and researchers believe that malware development was not yet completed.

- Advertisement - Google News

Malicious Macro Infection Chain

The attack starts with a malicious word document that contains contents written in Russian with a house image and it instructs users to enable macro’s to get the full document.

Once the user enables macro it searches for the shortcut files in desktop and replace’s with the corresponding linked files. It primarily targets file shortcut files that include Skype, Google Chrome, Mozilla Firefox, Opera, and Internet Explorer.

malicious macro

If the user executes the shortcut from the desktop shortcut or Quick launch bar it executes the malware instead of the original file.

Once the malware triggered it drops WpmPrvSE.exe in system32 or SysWoW64 depending on the operating system type and it starts up a service called WPM Provider Host, which allow’s application on your computer to request system information.

Along with WpmPrvSE.exe it also drops a rar.exe, possibly for later use and then it recovers’s the shortcut files to its original state again.

Researchers say that “While the malware is working, the malicious service that the malware activated would already be downloading the final payloads. It downloads a RAR archive from Google Drive and GitHub.”

malicious macro
Malware infection chain

The download RAR archive contains config file, key, and other tools, the installer file run through the certutil command-line program and also it decodes the wsvchost[.]key the file which is the actually a well-known remote desktop utility Ammyy Admin.

By installing Ammyy Admin on user’s system and granting full permission to attackers ID via malware, an attacker could get full system access through Ammyy Admin. Trend Micro published a detailed analysis report.

Microsoft has macro’s disabled by default an it is not recommended to enable and download macro for documents form unknow resources. Also, Microsoft shows warning while enabling macros.

malicious macro

Researchers said the malware is not widely distributed and it is still in the PoC stage and will have further versions.

Also Read

60,000 Android Devices are Infected with Malicious Battery Saver App that Steals Various Sensitive Data

MyloBot – Highly Sophisticated Botnet Shutdown Windows Defender & Blocking Ports on the Firewall

GZipDe – A Sophisticated Malware Attack using Metasploit Backdoor with Encrypted Payload

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Hackers Exploit Email Fields to Launch XSS and SSRF Attacks

Cybersecurity researchers are raising alarms as hackers increasingly weaponize email input fields to execute cross-site...

Luna Moth Hackers Use Fake Helpdesk Domains to Target Victims

A recent investigation by cybersecurity firm EclecticIQ, in collaboration with threat hunters, has exposed...

SonicBoom Attack Chain Lets Hackers Bypass Login and Gain Admin Control

Cybersecurity researchers have uncovered a dangerous new exploitation technique, dubbed the "SonicBoom Attack Chain,"...

Researcher Uses Copilot with WinDbg to Simplify Windows Crash Dump Analysis

A researcher has unveiled a novel integration between AI-powered Copilot and Microsoft's WinDbg, dramatically...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

TerraStealer Strikes: Browser Credential & Sensitive‑Data Heists on the Rise

Insikt Group has uncovered two new malware families, TerraStealerV2 and TerraLogger, attributed to the...

MintsLoader Malware Uses Sandbox and Virtual Machine Evasion Techniques

MintsLoader, a malicious loader first observed in 2024, has emerged as a formidable tool...

Threat Actors Target Critical National Infrastructure with New Malware and Tools

A recent investigation by the FortiGuard Incident Response (FGIR) team has uncovered a sophisticated,...