A campaign that packages credential-themed ZIP archives with malicious Windows shortcut (.lnk) files has been tracked by cybersecurity researchers.
The ZIP files promise certified documents, including passport scans and payment records. When a user clicks on a shortcut, it triggers a minimized and obfuscated PowerShell script that downloads a malicious payload.
Social Engineering Meets Evasion Tactics
What’s new in this attack is the mix of familiar social engineering and pragmatic evasion, according to a new advisory by BlackPoint.
The dropper labels staging files with “.ppt” names while saving them as DLLs locally, constructs key commands from byte arrays to avoid clear text such as “Start-Process” and “rundll32.exe,” and chooses different server files when it detects common antivirus processes. The approach favors operational reliability and stealth over advanced cryptography.
“[The shortcuts] quietly launch obfuscated PowerShell,” BlackPoint said.
They then fetch DLLs disguised as .ppt files.
The activity was observed targeting a management vertical user, suggesting the lures were tailored to executive workflows such as identity verification and payment approval.
How the Dropper Works
The PowerShell dropper launches in a manner designed to remain undetected. It uses so-called quiet flags, allowing the command to run without displaying visible windows or prompting the user for permission. It also suppresses progress messages and clears the console so there are few, if any, on-screen clues that something unusual is happening.
Before downloading, the script checks the system for signs of common antivirus processes. If none are found, it requests a baseline file labeled NORVM.ppt. If an antivirus is present, it requests BD3V.ppt – a variant intended to be stealthier. The .ppt names are only cover; the script treats the files as raw bytes rather than slides.
Those downloaded bytes are then saved to the user profile as a short, randomly named DLL. The dropper invokes that DLL with the Windows utility rundll32.exe using the JMB export, which effectively asks a signed system program to load and run the attacker code.
Because the runtime uses an existing Windows binary rather than launching an unfamiliar executable, the activity can appear to be ordinary system behavior. This living-of-the-land approach helps the implant blend into normal operations, giving the attacker a quiet foothold on the machine while making detection and simple blocking less likely.
Mitigations and Signals to Watch
Blackpoint has shared several suggestions to tackle threats like this, including:
-
Block or detonate LNK files in archives and enforce Mark of the Web
-
Deny execution from user-writable paths with WDAC or AppLocker and restrict rundll32 usage
-
Instrument PowerShell, enable script block logging transcription and AMSI and harden web egress with TLS inspection
The report warned that these measures are necessary because the attack trades on user trust in document-themed content and uses signed system binaries and simple AV-aware checks to reduce early detection.