{
	"id": "edddefa3-e845-461f-925c-3a5779323be2",
	"created_at": "2026-04-06T00:21:18.417126Z",
	"updated_at": "2026-04-10T13:13:06.594522Z",
	"deleted_at": null,
	"sha1_hash": "9ad9d4c91c0d32bbb738943b49025c8a4e53621d",
	"title": "Following the LNK metadata trail",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 142067,
	"plain_text": "Following the LNK metadata trail\r\nBy Guilherme Venere\r\nPublished: 2023-01-19 · Archived: 2026-04-05 23:17:54 UTC\r\nThursday, January 19, 2023 08:00\r\nAdversaries’ shift toward Shell Link (LNK) files, likely sparked by Microsoft’s decision to block macros,\r\nprovides the opportunity to capitalize on information that can be provided by LNK metadata.\r\nCisco Talos analyzed metadata in LNK files and correlated it with threat actors tactics techniques and\r\nprocedures, to identify and track threat actor activity. This report outlines our research on Qakbot and\r\nGamaredon as examples.\r\nTalos also used LNK file metadata to identify relationships among different threat actors. In this report we\r\ndemonstrate this by using metadata to connect  Bumblebee with IcedID and Qakbot respectively.\r\nExecutive Summary\r\nMicrosoft announced at the beginning of 2022 that they would soon start to disable macros by default in Office\r\ndocuments downloaded from the Internet. They implemented the changes around June, only to remove the feature\r\nlater that month. The feature was finally re-enabled by the end of July. Cisco Talos observed threat actors reacting\r\nto these changes by moving away from malicious macros as an initial access method in favor of other types of\r\nexecutable attachments.\r\nWhile tracking some prevalent commodity malware threat actors, Talos observed the popularization of malicious\r\nLNK files as their initial access method to download and execute payloads. A closer look at the LNK files\r\nillustrates how their metadata could be used to identify and track new campaigns.\r\nAn overview of LNK file format\r\nMicrosoft describes the Shell Link binary file format - the format used by Windows files with the extension\r\n\"LNK\" - as a file which contains information that can be used by the Operating System or an application to access\r\nanother data object on the system. Although the format itself has applications supporting Object Linking and\r\nEmbedding (OLE) object access, it is more commonly used as “shortcuts” to applications and file locations on the\r\nfile system.\r\nThe LNK structure stores information about the target object as well as other related information about the\r\napplication behavior and metadata from the machine where the LNK file was created. These metadata sections can\r\ncontain optional data about various attributes of the target file. Among these attributes, a few provide valuable\r\ninformation to identify the exact system where the file was created. Other researchers have published some good\r\ninformation on the basic features present in LNK files so we won’t delve too deep in the details, but the most\r\nimportant fields for our research are the following:\r\nhttps://blog.talosintelligence.com/following-the-lnk-metadata-trail\r\nPage 1 of 16\n\nModification/Access/Creation (MAC) timestamps: A FILETIME structure that specifies the MAC time\r\nof the LNK target in UTC.\r\nVolumeID: An optional VolumeID structure that specifies information about the volume where the link\r\ntarget was on when the link was created. Of special interest to analysts is the field DriveSerialNumber\r\nwhich is unique and can be associated with a specific Disk Device.\r\nMachineID (16 bytes): A NULL–terminated character string, as defined by the system default code page,\r\nwhich specifies the NetBIOS name of the machine where the link target was last known to reside.\r\nDROID (CDomainRelativeObjId) GUID: Two values in GUID packet representation which are used to\r\nindicate the location of the link target. There are different values for the Volume identifier as well as the\r\nFile identifier. The last section of the File identifier is generated based on the MAC Address of the\r\nmachine where the file resides, which is another important correlation data.\r\nDROID Birth GUID: The same as the field above, but stores the location where the LNK file originally\r\npointed to. Together with DROID GUID these two fields could indicate if a LNK file was moved to a\r\ndifferent system after creation.\r\nMetadata Store structure: Extra structures of attributes used to describe additional details about the link\r\ntarget. Sometimes, when the target information is not present on the LNK file, we might need to look at the\r\nMetadata Store structure for additional data. The fields “ItemFolderPathDisplayNarrow”,\r\n“ParsingPath” and security identifier (“SID”) in this structure might provide valuable data to identify the\r\nLNK target as well as embedded payloads.\r\nIn order to extract these attributes, several tools are available in the public domain to parse and analyze the LNK\r\nstructure. Google provides a free command line tool called “LNK Parser”, which we are going to use in this blog\r\nto demonstrate the examples, but there are other options like LeCMD or the Python library “LnkParse3”. Some of\r\nthese tools are able to parse even malformed LNK files, which is a characteristic of some files created by threat\r\nactors.\r\nLNK Builder Tools\r\nWith the increasing usage of LNK files in attack chains, it’s logical that threat actors have started developing and\r\nusing tools to create such files. Several tools have been documented before and many are available publicly or\r\nthrough a paid subscription:\r\nMLNK Builder\r\nQuantum Builder\r\nMacropack\r\nLNKUp\r\nLnk2pwn\r\nSharPersist\r\nRustLnkBuilder\r\nThese different tools may sometimes leave traces in the LNK metadata, which can be useful for detecting or\r\ntracking malicious actors. By examining the output payload of some of these builders, we can see that most of\r\nthem wipe out most metadata from the file. This could be used as a good indicator of suspicious behavior, as these\r\nfields normally are present by default when the shortcut is properly created.\r\nhttps://blog.talosintelligence.com/following-the-lnk-metadata-trail\r\nPage 2 of 16\n\nSharPersist Payload\r\nFigure 1: SharPersist payload\r\nIn Figure 1 we can see the MAC timestamps are empty, but the LNK file still contains information about the\r\nrelative path where the file was created, as well as the SID of the user who created the file.\r\nQuantum Builder Payload\r\nhttps://blog.talosintelligence.com/following-the-lnk-metadata-trail\r\nPage 3 of 16\n\nFigure 2: Quantum builder payload\r\nIn Figure 2, we can see the Quantum Builder does not attempt to wipe out any metadata and the generated LNK\r\nfile contains a trove of metadata about the system where it was created. In this example, we also see the Disk\r\nSerial Number, user SID and DROID information including the MAC address of the machine used to create the\r\nfile. A quick search for that MAC address indicates it is from a VMWare virtual network card.\r\nMeterpreter Payload\r\nhttps://blog.talosintelligence.com/following-the-lnk-metadata-trail\r\nPage 4 of 16\n\nFigure 3: Meterpreter payload generated for MS15-020 (CVE-2015-0096)\r\nIn the LNK files created by Meterpreter, as well as other exploit frameworks like Cobalt Strike, the metadata are\r\ncompletely wiped, with the malicious code present in fields not normally parsed by LnkParser. In Figure 3, the\r\nLNK target is pointing to a DLL file on a remote share but since this is a malformed file created to exploit a bug,\r\nthe parsing tools cannot see the payload.\r\nhttps://blog.talosintelligence.com/following-the-lnk-metadata-trail\r\nPage 5 of 16\n\nFigure 4: Meterpreter payload viewed in an Hex editor showing the payload\r\nComparing the data present in these examples we can start to see patterns that may be useful to detect these\r\nmalicious files. Most of the tools tend to have wiped out data simply because the APIs used to create such files\r\ndon’t require all fields to be present, so they implement the bare minimum to have the malicious code running. A\r\nsimple YARA rule could be used to detect such samples:\r\nrule lnk_wiped {\r\n meta:\r\n author=\"gvenere\"\r\n description=\"LNK with wiped metadata\"\r\n \r\n strings:\r\n $lnk_magic = { 4c 00 00 00 }\r\n $ext1 = \".js\" // additional strings to search\r\n $ext2 = \".bat\" // in the LNK target area\r\nhttps://blog.talosintelligence.com/following-the-lnk-metadata-trail\r\nPage 6 of 16\n\n$ext3 = \".cmd\" // These are for Qakbot\r\n \r\n \r\n condition:\r\n $lnk_magic at 0x0 and\r\n uint16(0x1c) == 0x0 and // CreationTime == 0x0\r\n uint16(0x24) == 0x0 and // AccessTime == 0x0\r\n uint16(0x2c) == 0x0 and // WriteTime == 0x0\r\n // To target specific families we can add additional checks here\r\n ( any of ($ext*) in (0xa0..0x100) )\r\n}\r\nOther tools use the proper methods to create these files, but that opens an opportunity to identify information\r\nspecific to the machine where the sample was created. Looking at the Quantum Builder example in Figure 2, it’s\r\npossible to see attributes which identify the Disk and Machine where the LNK was created.  \r\nThe information present in the LNK files can prove extremely valuable when it comes to tracking specific threat\r\nactors in the wild.\r\nLNK files as Initial Access Tool\r\nWhen Microsoft announced the changes to macro behavior in Office at the end of 2021, very few of the most\r\nprevalent malware families used LNK files as part of their initial infection chain. In general, LNK files are used\r\nby worm type malware like Raspberry Robin in order to spread to removable disks or network shares.\r\nHowever, Talos observed a steady increase in LNK file usage by main malware families starting at the beginning\r\nof the year, with a big spike by the time Microsoft implemented the changes in Office 365. Looking for VirusTotal\r\n(VT) data for the past year, and searching exclusively for files related to prevalent malware families, we can see\r\nthe following trend (Figure 5):\r\nhttps://blog.talosintelligence.com/following-the-lnk-metadata-trail\r\nPage 7 of 16\n\nFigure 5: LNK files used as initial access mechanism for prevalent malware families. Source:\r\nVirusTotal \r\nWhen we look at specific families using these files, we can observe Qakbot as the main source of files in their last\r\ntwo campaigns, one starting in May and ending in July, and the other starting around the beginning of August and\r\nending in November.\r\nFigure 6: LNK file telemetry mapped to malware families. Source: VirusTotal \r\nInterestingly, many malicious LNK files submitted to VT during this period had all the metadata removed from\r\nthe file. Looking at Qakbot data, we see the group started to use LNK files with wiped metadata during the August\r\ncampaign. Wiped metadata could also be explained by the increasing usage of toolkits to generate such files, as\r\nexplained before.\r\nThe data in Figure 6 also depicts a decrease in activity around July and August, followed by another spike around\r\nOctober and November. This could be explained by the announcement of vulnerabilities which allowed malware\r\nto bypass the Mark-of-the-Web flag used by Microsoft Defender and other Antivirus products to decide whether to\r\nscan or not a file. As reported by other sources, this bug was exploited by many malware families and could\r\nexplain the second spike in LNK files usage as delivery mechanism.\r\nThreat Actor Tracking\r\nQakbot\r\nQakbot (also known as Qbot or Pinkslipbot) is one of the oldest malware operations still in activity. First observed\r\nin the wild around 2007, it is still one of the most active malware families today, as we recently reported in Talos’s\r\nQ2 Quarterly Report.\r\nQakbot is known to evolve and adapt their operation according to the current popular delivery methods and\r\ndefense techniques. As recently as May 2022, their preferred method of distribution was to hijack email threads\r\nhttps://blog.talosintelligence.com/following-the-lnk-metadata-trail\r\nPage 8 of 16\n\ngathered from compromised machines, and insert attachments containing Office XLSB documents embedded with\r\nmalicious macros.\r\nHowever, after Microsoft announced changes to how macros were executed by default on internet downloaded\r\ncontent, Talos found Qakbot increasingly moving away from the XLSB files in favor of ISO files containing a\r\nLNK file, which would download and execute the payload.\r\nWhile examining the content of these LNK files used in the last 6 months of campaigns, we observed some\r\ninteresting characteristics. Looking at the information present in the metadata about where these samples are\r\ncreated, we see that there is no overlapping metadata between the different campaigns. Additionally, looking at the\r\nTop 200 samples in VT known to be part of a Qakbot campaign, we see what machines were the most active in\r\ngenerating these LNK files (Figure 7):\r\nFigure 7: Distribution of LNK files related to main Qakbot campaigns\r\nMetadata information can also help detect correlations between these actors and other malware. For example, we\r\nanalyzed the samples below, which are all part of the “AA” Qakbot campaign from June and July 2022:\r\n8fda14f91e27afec5c1b1f71d708775c9b6e2af31e8331bbf26751bc0583dc7e\r\n2f9da7145056a4217552a5a536ceb8365e853fbd04d28ae2d494afb20e9c021f\r\n52458b4aaddbcb04048be963ea7d669c2ff7a69642d027f88812a5c6c1ade955\r\n6a980d7659efb8bfb997dec3259d6eb090d4e6a4609e4c0666e04ad612151d71\r\n67bbffb2ff5f724a201445f26018cb09fbf0588689f98f90fd82082aae7c6eec\r\nda2a0d9a6b5dd2123c4c2cbd55d81fd22ab72bf7ceb1489a5a770e10bcf67137\r\n54681cbb4c61dd4fe03341cfd8d2b796366a0372b53dd3e1d52c9e6ff98692d1\r\na7f31c98147d98ac08f4b8afe7faa2f2b4aab821655717f4bde519fcd87300ac\r\nhttps://blog.talosintelligence.com/following-the-lnk-metadata-trail\r\nPage 9 of 16\n\nc5c0daaa26815bb6528332dd4f56f7eb72db4456d5a84b8bc69239c45079a1c4\r\nefdb91497fe213e8f696065c2fe81f64cbaa219da16e2b3f8e1e146d098652b5\r\nc9dfafd3536977289b4bfda1369fbd113a778cf06ac0c01cdc8e00e1c300e774\r\ne818b0115a9a877a9517c99b16e5a2df9cf7c5eb1fb249d9153b68e8fa94e60b\r\n7ba3eaee591cc73ab85aeb09d8c02b1e569b9dcaffcbc7c4473f504f939697d2\r\nThe metadata in these samples indicate they were created on a machine with Drive Serial # “0x2848e8a8”.\r\nLooking at VT for this serial we found samples that were both related to the AA campaign, and linked to other\r\nmalware.\r\nFor example the sample beacb63904c2624ae02601f283671b3ef61650109aea3259b63a0aeefe4133fa, which was\r\nsubmitted on August 15th, 2022, contains Powershell code to download and execute a binary from\r\nhxxp://88.198.148[.]231/u.exe.\r\nAccording to VT information, this sample with hash\r\n6161c01fd590c98c6dee4e510ba9be4f574c9cc5c89283dbff6bb79cd9383d70 is detected as a Redline variant\r\n(Figure 8):\r\nFigure 8: VirusTotal details for Redline sample\r\nStarting in August 2022, Qakbot resumed activity, including their two main campaigns, “Obama” and “AA”.\r\nInterestingly, at this point the “Obama” Qakbot campaign  began wiping out the metadata on their LNK files, but\r\nthe Target field always pointed to the JS, BAT or CMD file used to start the malicious DLL part of the initial\r\ninfection chain (Figure 9):\r\nhttps://blog.talosintelligence.com/following-the-lnk-metadata-trail\r\nPage 10 of 16\n\nFigure 9: Metadata for LNK files part of “Obama” campaign\r\nThe same behavior started to happen on “BB” campaign’s LNK files starting on September 13th. We can see in\r\nFigure 10 that samples mapped to the “BB” campaign in September still had Drive Serial Number information:\r\nhttps://blog.talosintelligence.com/following-the-lnk-metadata-trail\r\nPage 11 of 16\n\nFigure 10: Metadata for LNK files part of “BB” campaign\r\nWe also observe that the Drive Serial Number matches the one used by the “AA” campaign from the May/July\r\ntimeframe, which could indicate “AA” and “BB” are probably managed by the same group. More recently,\r\n samples from “BB” started to have their metadata wiped too.\r\nGamaredon\r\nIn June 2022, Inquest published a report about a new threat actor called Glowsand that was targeting Ukranian\r\nentities using phishing emails with malicious documents and LNK files to download and execute second stage\r\npayloads.\r\nhttps://blog.talosintelligence.com/following-the-lnk-metadata-trail\r\nPage 12 of 16\n\nBy analyzing the metadata content of the LNK file in the report, Talos associated the machine IDs where the files\r\nwere generated, to files associated with the Gamaredon APT. Furthermore, based on this metadata, Talos identified\r\na new campaign targeting Ukrainian organizations that started around August 8th, 2022, which we wrote about in\r\na separate blog post. In fact, Gamaredon files reported as far back as Feb 2017 contained the same LNK metadata\r\nas the files found in our research.\r\nOn September 6th a new set of samples was identified during our hunts, which we also connected to previous\r\nGamaredon campaigns via metadata. But the samples this time had an interesting feature: an embedded digital\r\nsignature (digisig) pertaining to a Microsoft development unit in Puerto Rico.\r\n7f66f4411983001d29236c5d3fb4ff26f01b5742badca1db8d49264c01ba506c\r\n1b2ed05f488f8439688a02cc6ef84f939d16169117b489219b688a3ea482e5ed\r\n6ce64dedbe81c36aef38fd2d567f6ab9737df708591dc2f0cafa56db26a1d043\r\n1e0b92485e09ac970ae38214fb5c7407f73027ada47ea697017e49cacb576908\r\nThe samples had very few or no detections at all in VT, even though some of them are related to a Gamaredon\r\ncampaign from 2016/2017, which may indicate the embedded digisig might have been added in an attempt to\r\nbypass AV detections.\r\nFollowing the lead on the digisig name “Microsoft Operations Puerto Rico1” we can find a multitude of LNK files\r\nusing the same technique. The interesting point here is that there is no provision in the LNK file format for a\r\ndigisig, which means the digisig is probably present only as garbage data to confuse AV scanners and is a common\r\ntechnique used by many malware families.\r\nBumblebee relationship with IcedID and Qakbot\r\nIn addition to tracking malware groups’ activity over time, LNK file metadata can help identify relationships\r\namong different threat actors. Researchers have identified relationships between Bumblebee and other malware\r\nfamilies before, which we independently confirmed by looking at the LNK metadata.\r\nIn August 2022, a user submitted a test link file to VT, with a file path containing the individual’s username:\r\n“Lamar”. This LNK file was created on the same machine responsible for the LNK files used in a previous IcedID\r\ncampaign. A few hours later the same user submitted another file with hash\r\ne89cd1999517b47805106111e14de4a03669cac30adb3b3304655febce25955f, this time with user information\r\nsanitized, and packaged in a Zip file containing a BAT and DLL file. The DLL file was an IcedID bot.\r\nWe also found a correlation between LNK files leading to IcedID infection, with LNK files used in a Bumblebee\r\ncampaign, which both use the same Drive Serial Number:\r\nhttps://blog.talosintelligence.com/following-the-lnk-metadata-trail\r\nPage 13 of 16\n\nFigure 11: Bumblebee and IcedID samples sharing the same metadata\r\nBy examining the relationships between these hashes in VT, we can see that the LNK file\r\n9c7e01c2c39dadc020a0cf8dc74b62e6453b56413f09705b4ad4d391981f5a3f seen in Figure 11 leads to a\r\nBumblebee DLL while other hashes like\r\n3cca8d1b4cfe0ebcf105621700454d0285ef1b44dfed3e3abf70060bb62aa5b4 lead to an IcedID DLL. In both cases\r\nthe same username is present in the ParsingPath field.\r\nA similar approach was used to find a relationship between Bumblebee and Qakbot. During our research on\r\nQakbot we found samples associated with the “Obama” campaign which still had the LNK information and used\r\nthe Drive Serial Number “300D-05E9”. This same serial number was found later in LNK samples leading to\r\nBumblebee infections:\r\nFigure 12: Bumblebee and Qakbot samples sharing the same metadata\r\nJust as an example, the sample 2738ee3f181994cca5d9ea19359b8142981583d17563934ab3212eefe13af3ff in\r\nFigure 12 leads to a Bumblebee DLL.\r\nConclusion\r\nIn the cyber threat landscape, any new information on the adversary could be critical toward improving defenses.\r\n In this blog Talos demonstrated metadata’s value using LNK files, but the same concept is applicable to other file\r\nformats that include metadata, or attack tools that leave signature traces about their use in their payloads.\r\nBy analyzing and tracking information leaked through metadata, and correlating this information with other\r\nactor’s tactics, techniques and procedures, defenders can develop better detections and even predict future\r\nbehavior, to prepare for an attack.\r\nCoverage\r\nhttps://blog.talosintelligence.com/following-the-lnk-metadata-trail\r\nPage 14 of 16\n\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware\r\ndetailed in this post. Try Secure Endpoint for free here.\r\nCisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in\r\nthese attacks.\r\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of\r\ntheir campaign. You can try Secure Email for free here.\r\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat\r\nDefense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this\r\nthreat.\r\nCisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco\r\nSecure products.\r\nUmbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and\r\nURLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.\r\nCisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites\r\nand tests suspicious sites before users access them.\r\nAdditional protections with context to your specific environment and threat data are available from the Firewall\r\nManagement Center.\r\nCisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your\r\nnetwork.\r\nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org. Snort SIDs for this threat are: 61099-61102, 300367-300368\r\nThe following ClamAV detections are also available for this threat:\r\nLnk.Dropper.Agent\r\nLnk.Trojan.Qakbot\r\nLnk.Trojan.BazarLoader\r\nLnk.Downloader.Agent\r\nWin.Dropper.Agent\r\nIndicators of Compromise\r\nhttps://blog.talosintelligence.com/following-the-lnk-metadata-trail\r\nPage 15 of 16\n\nIndicators of Compromise associated with this threat can be found here.\r\nSource: https://blog.talosintelligence.com/following-the-lnk-metadata-trail\r\nhttps://blog.talosintelligence.com/following-the-lnk-metadata-trail\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.talosintelligence.com/following-the-lnk-metadata-trail"
	],
	"report_names": [
		"following-the-lnk-metadata-trail"
	],
	"threat_actors": [
		{
			"id": "236a8303-bf12-4787-b6d0-549b44271a19",
			"created_at": "2024-06-04T02:03:07.966137Z",
			"updated_at": "2026-04-10T02:00:03.706923Z",
			"deleted_at": null,
			"main_name": "IRON TILDEN",
			"aliases": [
				"ACTINIUM ",
				"Aqua Blizzard ",
				"Armageddon",
				"Blue Otso ",
				"BlueAlpha ",
				"Dancing Salome ",
				"Gamaredon",
				"Gamaredon Group",
				"Hive0051 ",
				"Primitive Bear ",
				"Shuckworm ",
				"Trident Ursa ",
				"UAC-0010 ",
				"UNC530 ",
				"WinterFlounder "
			],
			"source_name": "Secureworks:IRON TILDEN",
			"tools": [
				"Pterodo"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434878,
	"ts_updated_at": 1775826786,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9ad9d4c91c0d32bbb738943b49025c8a4e53621d.pdf",
		"text": "https://archive.orkl.eu/9ad9d4c91c0d32bbb738943b49025c8a4e53621d.txt",
		"img": "https://archive.orkl.eu/9ad9d4c91c0d32bbb738943b49025c8a4e53621d.jpg"
	}
}