Thursday, April 10, 2025
HomeCyber AttackHackers Weaponizing LNK Files To Create Scheduled Task And Deliver Malware Payload

Hackers Weaponizing LNK Files To Create Scheduled Task And Deliver Malware Payload

Published on

SIEM as a Service

Follow Us on Google News

TA397, also known as Bitter, targeted a Turkish defense organization with a spearphishing email containing a RAR archive, which included a decoy PDF, a malicious LNK file disguised as a PDF, and an ADS file with PowerShell code. 

This technique, common for TA397, leverages NTFS ADS to establish persistence and deploy further malware like wmRAT and the newly identified MiyaRAT.

The attack takes advantage of a common theme of public investment projects, indicative of TA397’s targeted approach.

- Advertisement - Google News
TA397 infection chain
TA397 infection chain

It leveraged a spearphishing email with a malicious RAR archive containing a decoy PDF and a malicious LNK file, which executed a PowerShell script hidden in the PDF’s ADS stream, establishing a persistent backdoor. 

Free Webinar on Best Practices for API vulnerability & Penetration Testing:  Free Registration

The backdoor sent system information to a C2 server, enabling TA397 to deploy additional payloads, which included WmRAT and MiyaRAT, remote access trojans that provided the attackers with extensive control over the compromised system. 

Decoded PowerShell command. 
Decoded PowerShell command. 

WmRAT is a C++-based remote access trojan (RAT) that leverages socket communication to execute various malicious operations and stealthily gathers system information, exfiltrates files, captures screenshots, and acquires geolocation data. 

It can also enumerate directories and files and execute arbitrary commands through cmd or PowerShell and employs obfuscation techniques like junk threads and a simple decryption algorithm to hinder analysis.

By establishing a persistent connection with a hardcoded C2 server, it receives and executes commands, ultimately compromising the infected system.

Malware gathering basic disk information.  
Malware gathering basic disk information.  

MiyaRAT, a C++-based malware, begins by decrypting its hardcoded C2 server domain, “samsnewlooker[.]com,” using a simple substitution cipher and then establishes a socket connection to this C2 server on port 56189. 

After initialization, MiyaRAT collects basic system information such as disk space, user information, OS version, and malware version, which is encrypted using a simple XOR cipher before being sent to the C2 server. 

The C2 server is then able to issue commands to MiyaRAT, which may include the operation of files, the initiation of reverse shells, the capture of screenshots, and other commands.

Socket creation with hardcoded port 56189.  
Socket creation with hardcoded port 56189.  

According to ProofPoint, TA397 leveraged a multi-domain infrastructure to deploy WmRAT and MiyaRAT, where the staging domain jacknwoods[.]com, hosted on a multi-tenanted IP, distributed the malware. 

Once deployed, the malware communicated with the C2 domains academymusica[.]com and samsnewlooker[.]com, likely attacker-controlled infrastructure, to receive further instructions, which setup aligns with previous TA397 campaigns, demonstrating their preference for multi-domain approaches to evade detection and maintain persistence.

The campaigns leverage RAR archives to deliver wmRAT and MiyaRAT payloads, indicative of their evolving tactics. The attacks target defense organizations in EMEA and APAC, particularly during UTC+5:30 working hours. 

The use of scheduled tasks and similar infrastructure to past campaigns, along with the geographic and temporal patterns, strongly suggest a South Asian state actor is behind these operations, aiming to collect sensitive information for intelligence purposes.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

APT32 Turns GitHub into a Weapon Against Security Teams and Enterprise Networks

Southeast Asian Advanced Persistent Threat (APT) group OceanLotus, also known as APT32, has been...

AkiraBot Floods 80,000 Sites After Outsmarting CAPTCHAs and Slipping Past Network Defenses

AkiraBot, identified by SentinelLABS, represents a sophisticated spam bot framework that targets website chats...

Microsoft Identity Web Flaw Exposes Sensitive Client Secrets and Certificates

A new vulnerability has been discovered in the Microsoft.Identity.Web NuGet package under specific conditions,...

CatB Ransomware Abuses Microsoft Distributed Transaction Coordinator for Stealthy Payload Execution

The cybersecurity realm has encountered a formidable adversary with the emergence of CatB ransomware,...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

APT32 Turns GitHub into a Weapon Against Security Teams and Enterprise Networks

Southeast Asian Advanced Persistent Threat (APT) group OceanLotus, also known as APT32, has been...

AkiraBot Floods 80,000 Sites After Outsmarting CAPTCHAs and Slipping Past Network Defenses

AkiraBot, identified by SentinelLABS, represents a sophisticated spam bot framework that targets website chats...

Microsoft Identity Web Flaw Exposes Sensitive Client Secrets and Certificates

A new vulnerability has been discovered in the Microsoft.Identity.Web NuGet package under specific conditions,...