Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Patchwork group macro-to-.LNK DLL side-loading sequence

Malware Activity
First reported
Last updated
Happening score
H score 16
1 unique sources, 1 articles

Summary

Hide ▲

A Patchwork group infection sequence now uses a malicious macro, .LNK file, PowerShell, and DLL side-loading to launch a payload that can exfiltrate data and collect system information.

Related Happenings

LeakNet ransomware gang ClickFix and Deno in-memory loader activity

Malware Activity
First: 17.03.2026 14:09 Last: 17.03.2026 14:09 Sources 1

About this happening: The **LeakNet ransomware gang** has adopted **ClickFix** initial access and a **Deno-based loader** that executes malicious code in memory, making intrusions harder to detect and...

Open Happening

SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM multi-stage malware deployment

Malware Activity
First: 05.03.2026 14:01 Last: 05.03.2026 14:01 Sources 1

About this happening: A **Windows malware** set composed of **SPLITDROP**, **TWINTASK**, **TWINTALK**, and **GHOSTFORM** was deployed across **two infection chains**, expanding the operation’s command,...

Open Happening

OAuth-phished ZIP/LNK/PowerShell malware delivery chain

Malware Activity
First: 03.03.2026 11:20 Last: 03.03.2026 11:20 Sources 1

About this happening: **ZIP-delivered malware** now uses a **PowerShell** and **DLL side-loading** chain to infect Windows devices and reach an external **C2 server**, increasing the risk of follow-on...

Open Happening

Lnk-it-up open-source suite for generating and detecting malicious Windows LNK shortcuts

Security Tool/Service
First: 12.02.2026 23:01 Last: 12.02.2026 23:01 Sources 1

About this happening: **lnk-it-up** is a newly released open-source suite for **Windows LNK shortcuts** that helps testers generate deceptive files and helps defenders spot shortcuts where **Explorer**...

Open Happening

Microsoft silently patches in Windows LNK files remote code execution flaw (CVE-2025-9491)

Vulnerability
First: 12.02.2026 23:01 Last: 12.02.2026 23:01 Sources 1

About this happening: **Windows LNK shortcut files** remain the focus of this vulnerability thread: **CVE-2025-9491** / **ZDI-CAN-25373** is being used in **September-October 2025** spear-phishing atta...

Open Happening

Timeline

  1. 02.10.2025 17:44 2 articles · 7mo ago

    Patchwork macro-to-.LNK DLL side-loading infection chain

    Technical Analysis Update

    Patchwork group infection sequence begins with a malicious macro that downloads a .LNK file, where embedded PowerShell code fetches additional payloads and uses DLL side-loading to launch the primary malware while a decoy PDF is displayed. The payload contacts a C2 server, gathers system information, decrypts an encoded instruction for cmd.exe, takes screenshots, uploads files, downloads files from a remote URL into a temporary directory, and retries data transmission up to 20 times.

    Show sources
    Open in new tab