Cybercriminals are increasingly using malicious LNK files as a way to gain initial access and download payloads such as Bumblebee, IcedID, and Qakbot.

These malicious shortcut files are used to evade security solutions and infect victims’ computers with malware.

A recent study by Cisco Talos has revealed that it is possible to identify relationships between different threat actors by analyzing the metadata of these malicious LNK files.

This information includes the specific tools and techniques used by different groups of cybercriminals, as well as potential links between seemingly unrelated attacks.

The use of LNK files in attack chains has prompted threat actors to develop and use tools to create such files, such as mLNK Builder and Quantum Builder, that allows actors to generate rogue shortcut files and evade security solutions.

Some of the major malware families that have used LNK files for initial access include Bumblebee, IcedID, and Qakbot.


Talos security researchers have identified connections between Bumblebee and IcedID, as well as Bumblebee and Qakbot, by examining the artifacts’ metadata.

Specifically, multiple samples of LNK files leading to IcedID and Qakbot infections, and those that were used in different Bumblebee campaigns, have all been found to share the same drive serial number.


LNK files have also been employed by advanced persistent threat (APT) groups such as Gamaredon (also known as Armageddon) in their attacks aimed at Ukrainian government entities.

The spike in campaigns using malicious shortcuts is seen as a reaction to Microsoft’s decision to disable macros by default in Office documents downloaded from the Internet. This has prompted threat actors to use alternative attachment types and delivery mechanisms to distribute malware.

Of course, LNK files are only the initial access vehicle: recent analyses from Talos and Trustwave have disclosed how APT actors are weaponizing Excel add-in (XLL) files and Publisher macros to drop remote access trojans on compromised machines.


Additionally, the same threat actors have been observed taking advantage of rogue Google Ads and search engine optimization (SEO) poisoning to push off-the-shelf malware like BATLOADER, IcedID,Rhadamanthys Stealer and Vidar to victims searching for legitimate software. BATLOADER, according to a report by Trend Micro, is malware capable of installing additional malicious tools, including Cobalt Strike, Qakbot, Raccoon Stealer, RedLine Stealer, SmokeLoader and ZLoader.

Indicators of Compromise


  • 8fda14f91e27afec5c1b1f71d708775c9b6e2af31e8331bbf26751bc0583dc7e

  • 2f9da7145056a4217552a5a536ceb8365e853fbd04d28ae2d494afb20e9c021f

  • 52458b4aaddbcb04048be963ea7d669c2ff7a69642d027f88812a5c6c1ade955

  • 6a980d7659efb8bfb997dec3259d6eb090d4e6a4609e4c0666e04ad612151d71

  • 67bbffb2ff5f724a201445f26018cb09fbf0588689f98f90fd82082aae7c6eec

  • da2a0d9a6b5dd2123c4c2cbd55d81fd22ab72bf7ceb1489a5a770e10bcf67137

  • 54681cbb4c61dd4fe03341cfd8d2b796366a0372b53dd3e1d52c9e6ff98692d1

  • a7f31c98147d98ac08f4b8afe7faa2f2b4aab821655717f4bde519fcd87300ac

  • c5c0daaa26815bb6528332dd4f56f7eb72db4456d5a84b8bc69239c45079a1c4

  • efdb91497fe213e8f696065c2fe81f64cbaa219da16e2b3f8e1e146d098652b5

  • c9dfafd3536977289b4bfda1369fbd113a778cf06ac0c01cdc8e00e1c300e774

  • e818b0115a9a877a9517c99b16e5a2df9cf7c5eb1fb249d9153b68e8fa94e60b

  • 7ba3eaee591cc73ab85aeb09d8c02b1e569b9dcaffcbc7c4473f504f939697d2


  • 7f66f4411983001d29236c5d3fb4ff26f01b5742badca1db8d49264c01ba506c

  • 1b2ed05f488f8439688a02cc6ef84f939d16169117b489219b688a3ea482e5ed

  • 6ce64dedbe81c36aef38fd2d567f6ab9737df708591dc2f0cafa56db26a1d043

  • 1e0b92485e09ac970ae38214fb5c7407f73027ada47ea697017e49cacb576908


  • 9c7e01c2c39dadc020a0cf8dc74b62e6453b56413f09705b4ad4d391981f5a3f

  • 2738ee3f181994cca5d9ea19359b8142981583d17563934ab3212eefe13af3ff


  • 3cca8d1b4cfe0ebcf105621700454d0285ef1b44dfed3e3abf70060bb62aa5b4

  • e89cd1999517b47805106111e14de4a03669cac30adb3b3304655febce25955f


  • 6161c01fd590c98c6dee4e510ba9be4f574c9cc5c89283dbff6bb79cd9383d70