A sophisticated cyber‑espionage operation is exploiting Windows shortcut files disguised alongside seemingly genuine PDF newsletters to surreptitiously infiltrate institutions across Asia and the Middle East. This deeply orchestrated campaign has been attributed to APT‑37, a North Korean‑linked group known for precision targeting.
Threat actors dispatch archives containing a PDF titled “National Intelligence Research Society Newsletter” together with a malicious companion: an LNK file that mirrors the PDF’s name. When opened, the shortcut does not display the document—it launches a hidden PowerShell script. This script extracts and executes malicious binaries directly in system memory, bypassing traditional antivirus defences by avoiding disk footprint. The campaign spans targets in South Korea, Japan, Vietnam, India, China, Russia, and the Middle East.
Telemetry gathered by Palo Alto Networks reveals a dramatic surge in LNK‑based malware: from approximately 21,098 unique malicious samples in 2023 to 68,392 in 2024. Analysts reviewed 30,000 of the most recent specimens and categorised them into four distinct attack vectors: exploit execution, malicious-file execution, in‑argument scripts, and overlay execution.
These Windows shortcut files are deceptively convincing. Windows’ file explorer conceals the “. lnk” extension on desktop icons, and threat actors often assign icons and filenames that imitate trusted PDFs or documents, increasing the chances of unsuspecting users clicking on them.
Detailed analysis of the LNK format has revealed how these files facilitate stealthy execution. Malicious LNKs often embed commands directly via the COMMANDLINEARGUMENTS field, invoke system tools such as PowerShell, cmd. exe, mshta. exe, or conhost. exe, and can also contain overlay content—extra data appended to the file that remains undetected unless executed via crafted commands.
What raises concern further is the campaign’s clever use of mainstream cloud services as covert channels for command‑and‑control. Instead of connecting to obscure or suspicious servers, the malware communicates via legitimate platforms like Dropbox, pCloud, and Yandex Disk. The C2 data and exfiltration occur under the cover of normal cloud usage, complicating detection efforts.
This layered strategy reflects growing sophistication: deceptive file naming, file‑less execution, memory‑only payloads, and benign‑looking network traffic. The geographic breadth—from academic and research institutions to government and defence organisations—indicates a global intelligence‑gathering goal.
Mitigation must begin with raising awareness. Users and administrators should be cautious of any shortcuts masquerading as documents, especially when delivered via email or archives. Right‑clicking such files and examining their ‘Target’ properties can reveal unusual command‑line arguments or executable paths. Security solutions should be configured to inspect LNK attachments, quarantine suspicious archive contents, and promote visibility into file creations—especially those invoking PowerShell or similar system utilities.
Defenders should monitor for behaviours such as hidden PowerShell activity, live-only payload deployment, or cloud-based C2 patterns. Network policies might restrict or log unexpected usage of cloud storage platforms for command-and-control purposes.