"When Microsoft patched a vulnerability last summer that allowed threat actors to use Windows' shortcut (.lnk) files in exploits, defenders might have hoped use of this tactic would decline. They were wrong. According to researchers at Forcepoint, a new high-volume phishing campaign spreading the Global Group ransomware has been detected that hopes to sucker employees into clicking on an attachment in an email with the subject line 'Your document.'"
"Worries about a .lnk vulnerability go back to March 2025, when Trend Micro reported thousands of malicious .lnk files containing hidden command line arguments being used in campaigns dating back to 2017. Mitja Kolsek of 0Patch reported that this particular hole ( CVE-2025-9491) was quietly plugged last summer. However, McElligott doesn't believe this vulnerability is being used in the latest Global Group campaign, because the target isn't hidden in the .lnk shortcut file properties."
A high-volume phishing campaign is using weaponized .lnk shortcut attachments with the subject line 'Your document' to trick employees into opening malicious files. The .lnk files use social engineering, stealthy execution, and Living-off-the-Land techniques to silently retrieve and launch a second-stage payload. A similar campaign recently distributed the Aware ransomware strain. Both campaigns have leveraged the Phorpiex (Trik) botnet. Thousands of malicious .lnk files with hidden command-line arguments have been observed since 2017, and CVE-2025-9491 was patched last summer, though the latest campaign does not appear to rely on that vulnerability. Global Group emerged as a RaaS in June 2025 and is believed to be a rebranding of BlackLock and Mamona.
Read at Computerworld
Unable to calculate read time
Collection
[
|
...
]