{
	"id": "d2c270da-b15c-47a2-8e60-cc0fe09bfe21",
	"created_at": "2026-04-06T00:20:15.753675Z",
	"updated_at": "2026-04-10T13:11:29.497042Z",
	"deleted_at": null,
	"sha1_hash": "0400b2ed7a561748ba09d80659c682567873b89e",
	"title": "DeerStealer Malware Delivered Via Weaponized .LNK Using LOLBin Tools | Cryptika Cybersecurity",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 253232,
	"plain_text": "DeerStealer Malware Delivered Via Weaponized .LNK Using\r\nLOLBin Tools | Cryptika Cybersecurity\r\nBy Blog Writer\r\nPublished: 2025-07-22 · Archived: 2026-04-05 17:25:33 UTC\r\nA sophisticated new phishing campaign has emerged, delivering the DeerStealer malware through weaponized\r\n.LNK shortcut files that exploit legitimate Windows binaries in a technique known as “Living off the Land”\r\n(LOLBin).\r\nThe malware masquerades as a legitimate PDF document named “Report.lnk” while covertly executing a complex\r\nmulti-stage attack chain that leverages mshta.exe, a legitimate Microsoft HTML Application host utility.\r\nThe attack represents a significant evolution in malware delivery mechanisms, utilizing Microsoft’s own tools to\r\nbypass traditional security measures.\r\nThe malicious .LNK file initiates a carefully orchestrated execution sequence that progresses through multiple\r\nsystem binaries before ultimately deploying the DeerStealer payload.\r\nThis approach exploits the inherent trust that security systems place in legitimate operating system components,\r\nmaking detection substantially more challenging.\r\nLinkedIn analysts and researchers identified this campaign as particularly concerning due to its sophisticated\r\nevasion techniques and the abuse of the MITRE ATT\u0026CK framework technique T1218.005, which specifically\r\ncovers the malicious use of mshta.exe.\r\nThe researchers noted that the attack’s reliance on dynamic path resolution and obfuscated command execution\r\nrepresents a notable advancement in malware sophistication.\r\nExecution Chain and Infection Mechanism\r\nThe DeerStealer infection follows a precise five-stage execution chain: .lnk → mshta.exe → cmd.exe →\r\nPowerShell → DeerStealer.\r\nThe initial .LNK file covertly invokes mshta.exe to execute heavily obfuscated scripts using wildcard paths to\r\nevade signature-based detection systems.\r\nhttps://www.cryptika.com/deerstealer-malware-delivered-via-weaponized-lnk-using-lolbin-tools/\r\nPage 1 of 3\n\nDeerStealer Delivered Via Obfuscated .LNK Using LOLBin Abuse (Source – LinkedIn)\r\nThe malware dynamically resolves the full path to mshta.exe within the System32 directory, launching it with\r\nspecific flags followed by obfuscated Base64 strings.\r\nTo maintain stealth during execution, both logging and profiling capabilities are disabled, significantly reducing\r\nforensic visibility.\r\nThe script employs a sophisticated character decoding mechanism where characters are processed in pairs,\r\nconverted from hexadecimal to ASCII format, then reassembled into executable scripts via PowerShell’s IEX\r\nhttps://www.cryptika.com/deerstealer-malware-delivered-via-weaponized-lnk-using-lolbin-tools/\r\nPage 2 of 3\n\n(Invoke-Expression) cmdlet.\r\nThis ensures the malicious logic remains hidden until runtime, effectively bypassing static analysis tools.\r\nThe final payload delivery involves dynamic URL resolution from obfuscated arrays, simultaneous download of a\r\ndecoy PDF document to distract victims, and silent installation of the main executable into the AppData directory.\r\nThe legitimate PDF opens in Adobe Acrobat as a diversion tactic while the malware establishes persistence.\r\nKey indicators of compromise include the domain tripplefury[.]com and SHA256 hashes\r\nfd5a2f9eed065c5767d5323b8dd928ef8724ea2edeba3e4c83e211edf9ff0160 and\r\n8f49254064d534459b7ec60bf4e21f75284fbabfaea511268c478e15f1ed0db9.\r\nBoost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security\r\nteams -\u003e Try ANY.RUN Now\r\nSource: https://www.cryptika.com/deerstealer-malware-delivered-via-weaponized-lnk-using-lolbin-tools/\r\nhttps://www.cryptika.com/deerstealer-malware-delivered-via-weaponized-lnk-using-lolbin-tools/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.cryptika.com/deerstealer-malware-delivered-via-weaponized-lnk-using-lolbin-tools/"
	],
	"report_names": [
		"deerstealer-malware-delivered-via-weaponized-lnk-using-lolbin-tools"
	],
	"threat_actors": [
		{
			"id": "2864e40a-f233-4618-ac61-b03760a41cbb",
			"created_at": "2023-12-01T02:02:34.272108Z",
			"updated_at": "2026-04-10T02:00:04.97558Z",
			"deleted_at": null,
			"main_name": "WildCard",
			"aliases": [],
			"source_name": "ETDA:WildCard",
			"tools": [
				"RustDown",
				"SysJoker"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "256a6a2d-e8a2-4497-b399-628a7fad4b3e",
			"created_at": "2023-11-30T02:00:07.299845Z",
			"updated_at": "2026-04-10T02:00:03.484788Z",
			"deleted_at": null,
			"main_name": "WildCard",
			"aliases": [],
			"source_name": "MISPGALAXY:WildCard",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434815,
	"ts_updated_at": 1775826689,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0400b2ed7a561748ba09d80659c682567873b89e.pdf",
		"text": "https://archive.orkl.eu/0400b2ed7a561748ba09d80659c682567873b89e.txt",
		"img": "https://archive.orkl.eu/0400b2ed7a561748ba09d80659c682567873b89e.jpg"
	}
}