CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Credential-themed ZIP Archives Deliver DLL Implants via Windows Shortcuts

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A campaign delivers DLL implants using Windows shortcut (.lnk) files embedded in ZIP archives. The ZIP files contain credential-themed lures, such as passport scans and payment records. When a user clicks on the shortcut, it triggers a minimized and obfuscated PowerShell script that downloads a malicious payload. The attack targets management vertical users, focusing on executive workflows like identity verification and payment approval. The campaign uses several evasion tactics to avoid detection, including obfuscation, byte array commands, and antivirus process checks. The PowerShell script runs quietly, suppressing visible windows and progress messages. It downloads DLLs disguised as .ppt files and invokes them using rundll32.exe, blending the malicious activity with normal system behavior. This approach helps the implant remain undetected and provides a quiet foothold on the machine.

Timeline

  1. 01.10.2025 18:00 1 articles · 3d ago

    Credential-themed ZIP Archives Deliver DLL Implants via Windows Shortcuts

    A campaign has been observed delivering DLL implants using Windows shortcut (.lnk) files embedded in ZIP archives. The ZIP files contain credential-themed lures, such as passport scans and payment records. When a user clicks on the shortcut, it triggers a minimized and obfuscated PowerShell script that downloads a malicious payload. The campaign targets management vertical users, focusing on executive workflows like identity verification and payment approval. The PowerShell script uses quiet flags to run without displaying visible windows or prompting the user for permission. It checks for common antivirus processes and downloads different payloads based on the presence of security software. The DLLs are disguised as .ppt files and invoked using rundll32.exe, blending the malicious activity with normal system behavior.

    Show sources
    Open in new tab

Information Snippets

  • The campaign uses ZIP archives containing credential-themed lures to trick users into executing malicious Windows shortcut (.lnk) files.

    First reported: 01.10.2025 18:00
    1 source, 1 article
    Show sources

  • The shortcut files trigger a minimized and obfuscated PowerShell script that downloads a malicious payload.

    First reported: 01.10.2025 18:00
    1 source, 1 article
    Show sources

  • The PowerShell script uses quiet flags to run without displaying visible windows or prompting the user for permission.

    First reported: 01.10.2025 18:00
    1 source, 1 article
    Show sources

  • The script checks for common antivirus processes and downloads different payloads based on the presence of antivirus software.

    First reported: 01.10.2025 18:00
    1 source, 1 article
    Show sources

  • The downloaded payloads are DLLs disguised as .ppt files, saved to the user profile with random names.

    First reported: 01.10.2025 18:00
    1 source, 1 article
    Show sources

  • The DLLs are invoked using rundll32.exe with the JMB export, leveraging a signed system program to load and run the attacker code.

    First reported: 01.10.2025 18:00
    1 source, 1 article
    Show sources

  • The campaign targets management vertical users, focusing on executive workflows like identity verification and payment approval.

    First reported: 01.10.2025 18:00
    1 source, 1 article
    Show sources