{
	"id": "191be04c-a456-4a6a-86c6-0d515e4ae58e",
	"created_at": "2026-04-06T00:10:38.508655Z",
	"updated_at": "2026-04-10T03:26:56.246382Z",
	"deleted_at": null,
	"sha1_hash": "0df5f38edcf6c2af12fd18bdf8dafdab72a4472b",
	"title": "Vedalia APT Group Exploits Oversized LNK Files to Deliver Malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 495733,
	"plain_text": "Vedalia APT Group Exploits Oversized LNK Files to Deliver\r\nMalware\r\nBy Divya\r\nPublished: 2024-04-08 · Archived: 2026-04-05 17:56:35 UTC\r\nThe Vedalia Advanced Persistent Threat (APT) group, also known by its alias Konni, has been distributing\r\nmalware using an innovative technique involving oversized LNK files.\r\nThis method marks an evolution in the group’s operational tactics, aiming to bypass conventional security\r\nmeasures and compromise targeted systems.\r\nBroadcom recently published a blog post stating that the Vedalia APT group has utilized huge LNK files in their\r\nlatest malware campaign.\r\nRun Free ThreatScan on Your Mailbox\r\nAI-Powered Protection for Business Email Security\r\nTrustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a\r\nuser’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .\r\nKey Highlights of the Campaign\r\nInnovative Delivery Mechanism: The Vedalia APT group has ingeniously utilized LNK files with double\r\nextensions, effectively masking the malicious .lnk extension.\r\nThis tactic deceives users into believing the files are harmless, increasing the likelihood of execution.\r\nObscuration through Whitespace: A notable characteristic of these LNK files is the excessive use of\r\nwhitespace.\r\nThis technique is designed to hide the malicious command lines embedded within, making detection by\r\nsecurity software and analysts more challenging.\r\nBypassing Security Defenses: The embedded command line script within the LNK files is crafted to\r\nsearch for and execute PowerShell commands.\r\nThis approach is specifically chosen to evade detection mechanisms. It leverages PowerShell’s legitimate\r\nsystem functions to locate and deploy the embedded malicious files and payload.\r\nFile-based\r\nCL.Downloader!gen20\r\nScr.Mallnk!gen13\r\nTrojan.Gen.NPE\r\nWS.Malware.1\r\nhttps://gbhackers.com/vedalia-apt-group-exploits/\r\nPage 1 of 3\n\nImplications and Recommendations\r\nThe Vedalia APT group’s adoption of oversized LNK files for malware delivery underscores the evolving\r\nlandscape of cyber threats.\r\nOrganizations and individuals are advised to remain vigilant, update their security solutions, and educate users\r\nabout the risks of opening files from unknown sources.\r\nThis campaign by the Vedalia APT group serves as a reminder of the continuous innovation among cyber\r\nadversaries.\r\nBy staying informed and proactive, organizations can better defend against these sophisticated threats,\r\nsafeguarding their digital assets and the integrity of their systems.\r\nSecure your emails in a heartbeat! Take Trustifi free 30-second assessment and get matched with your\r\nideal email security vendor -Try Here\r\nDivya\r\nDivya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other\r\nhappenings in the cyber world.\r\nhttps://gbhackers.com/vedalia-apt-group-exploits/\r\nPage 2 of 3\n\nSource: https://gbhackers.com/vedalia-apt-group-exploits/\r\nhttps://gbhackers.com/vedalia-apt-group-exploits/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://gbhackers.com/vedalia-apt-group-exploits/"
	],
	"report_names": [
		"vedalia-apt-group-exploits"
	],
	"threat_actors": [
		{
			"id": "aa65d2c9-a9d7-4bf9-9d56-c8de16eee5f4",
			"created_at": "2025-08-07T02:03:25.096857Z",
			"updated_at": "2026-04-10T02:00:03.659118Z",
			"deleted_at": null,
			"main_name": "NICKEL JUNIPER",
			"aliases": [
				"Konni",
				"OSMIUM ",
				"Opal Sleet "
			],
			"source_name": "Secureworks:NICKEL JUNIPER",
			"tools": [
				"Konni"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "b43c8747-c898-448a-88a9-76bff88e91b5",
			"created_at": "2024-02-02T02:00:04.058535Z",
			"updated_at": "2026-04-10T02:00:03.545252Z",
			"deleted_at": null,
			"main_name": "Opal Sleet",
			"aliases": [
				"Konni",
				"Vedalia",
				"OSMIUM"
			],
			"source_name": "MISPGALAXY:Opal Sleet",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434238,
	"ts_updated_at": 1775791616,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0df5f38edcf6c2af12fd18bdf8dafdab72a4472b.pdf",
		"text": "https://archive.orkl.eu/0df5f38edcf6c2af12fd18bdf8dafdab72a4472b.txt",
		"img": "https://archive.orkl.eu/0df5f38edcf6c2af12fd18bdf8dafdab72a4472b.jpg"
	}
}