This post is also available in:
עברית (Hebrew)
A new wave of attacks is targeting Windows users with deceptive shortcut files designed to deliver the REMCOS backdoor and similar malware, according to researchers from Point Wild’s LAT61 Threat Intelligence Team. These .lnk files, disguised as harmless documents or folders, silently execute commands when opened, giving attackers remote access to infected systems.
The latest campaign revives a long-standing tactic: embedding malicious instructions into Windows shortcut files. While these files are used to provide quick access to programs or documents, attackers modify them to launch hidden commands using legitimate system tools such as PowerShell, cmd, or rundll32.exe. Because Windows hides known file extensions by default, a file named Invoice.pdf.lnk might appear simply as Invoice.pdf, increasing the chance of user interaction.
Once executed, the file can deploy REMCOS, a known remote access tool capable of capturing keystrokes, recording from webcams and microphones, taking screenshots, and exfiltrating files. The malware can also escalate privileges and execute arbitrary code, allowing full control over the target system.
What makes this technique particularly difficult to detect is that these .lnk files do not trigger security warnings, unlike malicious Office documents that rely on macros. The embedded commands can also be heavily obfuscated and often leverage trusted Windows utilities to load malware directly into memory, leaving no trace on disk.
Researchers note that phishing emails remain the most common method of distribution. Malicious .lnk files are often hidden inside ZIP or RAR archives, disguised as invoices or other common business documents. They have also been found on compromised websites, in pirated software packages, and even placed on shared network drives to infect additional users.
Point Wild’s analysis traced some of the activity to infrastructure in Romania and the United States. One IP address, tied to a Romanian ISP, resolved to a domain mimicking shipping services. Another U.S.-based IP was linked to a separate domain used in the campaign.
Security professionals are advised to be especially cautious with .lnk files received via email or downloaded from untrusted sources. Even visually inspecting file properties may not reveal malicious behavior, as attackers often hide complex commands.
Ongoing vigilance remains critical as these file-based attacks continue to evolve in sophistication and scale.
