Windows Shortcut Malware Resurfaces in Stealthy New Attack

Cybercriminals have revived a classic infection trick. This time, Windows shortcut malware is being used to silently deliver malicious payloads.

A new campaign uncovered by cybersecurity researchers shows attackers are abusing .LNK files—Windows shortcut files—to drop malware. The technique isn’t new, but this operation includes layers of obfuscation that make it harder to detect.

How the Malware Works

Instead of using typical phishing links or macro-laced documents, the attackers hide .LNK files in ZIP archives. When opened, these shortcuts trigger commands that quietly install malware.

Security experts believe the infection chain may deliver backdoors or remote access tools (RATs), giving threat actors persistent control over compromised machines.

The shortcuts look harmless at first glance. But behind the scenes, they call on PowerShell scripts or DLLs hidden within the same archive.

Why This Technique Still Works

Despite being old-school, .LNK-based attacks continue to work because many users trust shortcut files. Some security solutions don’t flag them as suspicious unless paired with known malware signatures.

The new campaign uses multiple layers of obfuscation to evade detection. The scripts are encoded and the payloads are compressed, making analysis difficult. In some cases, malware is fetched remotely, only activating after a delay.

Who’s Behind the Attack?

Researchers have not yet linked the campaign to any known hacking group. However, the level of obfuscation suggests advanced attackers are involved. Attribution remains ongoing.

Conclusion

The rise of Windows shortcut malware proves that old techniques still pose real threats when used creatively. Users should avoid opening shortcut files from unknown sources and keep endpoint protection up to date. As cybercriminals continue to evolve their methods, awareness and prevention remain the best defenses.