• LNK

Tactic or Technique: LNK

Attackers use LNK files, or Windows shortcuts, as a stealthy way to deliver malware. These files often look like regular documents and use familiar names like “Invoice_details.lnk” or “Contract_review.lnk” to get you to open them. But instead of opening a document, they quietly run commands in the background using tools like PowerShell or CMD.
You might receive an LNK file as an email attachment or inside a ZIP archive, sometimes with a password to avoid detection. When you click it, the file can connect to an attacker-controlled server, download more malware, or start stealing data without giving you any clear warning. While email providers typically block LNK files as direct attachments, they can still be delivered via URL file downloads and other techniques like link-based HTML smuggling.
This technique has been used by a range of threat actors, from sophisticated groups to commodity malware campaigns. It’s been part of attacks involving Emotet, Qakbot, and IcedID, and remains a reliable way for attackers to get around defenses that don’t closely inspect shortcut behavior.
Blog Post
Gotta Catch 'Em All: Detecting PikaBot Delivery Techniques
Gotta Catch 'Em All: Detecting PikaBot Delivery Techniques
A brief background of PikaBot with a focus on recently observed attack techniques and email detection methods.
Attack Types (2):
Malware/Ransomware
Credential Phishing
Detection Methods (9):
Archive analysis
File analysis
Sender analysis
URL analysis
QR code analysis
YARA
Macro analysis
Content analysis
Exif analysis
Rule Name & Severity
Last Updated
Author
Types, Tactics & Capabilities
QR code to auto-download of a suspicious file type (unsolicited)
2d ago
Jul 16th, 2025 UTC
Sublime Security
Malware/Ransomware
Evasion
LNK
Social engineering
Archive analysis
File analysis
Sender analysis
URL analysis
QR code analysis
/feeds/core/detection-rules/qr-code-to-auto-download-of-a-suspicious-file-type-unsolicited-eed87ea2
Link to auto-download of a suspicious file type (unsolicited)
2d ago
Jul 16th, 2025 UTC
Sublime Security
Malware/Ransomware
Encryption
Evasion
LNK
Social engineering
Archive analysis
File analysis
Sender analysis
URL analysis
YARA
/feeds/core/detection-rules/link-to-auto-download-of-a-suspicious-file-type-unsolicited-67ae2152
Attachment: Archive contains DLL-loading macro
2y ago
Dec 28th, 2023 UTC
Sublime Security
Malware/Ransomware
Exploit
LNK
Macros
Scripting
Archive analysis
File analysis
Macro analysis
YARA
/feeds/core/detection-rules/attachment-archive-contains-dll-loading-macro-3a193f5f
Attachment: Link file with UNC path
2y ago
Aug 21st, 2023 UTC
Sublime Security
Credential Phishing
Evasion
LNK
File analysis
/feeds/core/detection-rules/attachment-link-file-with-unc-path-3b7ee0fb
Attachment: LNK file
2y ago
Aug 21st, 2023 UTC
@ajpc500
Malware/Ransomware
LNK
Archive analysis
File analysis
/feeds/core/detection-rules/attachment-lnk-file-44532abe
Attachment: LNK with embedded content
2y ago
Aug 21st, 2023 UTC
@ajpc500
Malware/Ransomware
Exploit
LNK
Scripting
Content analysis
Exif analysis
File analysis
/feeds/core/detection-rules/attachment-lnk-with-embedded-content-41452f7a