"Worries about a .lnk vulnerability go back to March 2025, when Trend Micro reported thousands of malicious .lnk files containing hidden command line arguments being used in campaigns dating back to 2017. Mitja Kolsek of 0Patch reported that this particular hole ( CVE-2025-9491) was quietly plugged last summer. However, McElligott doesn't believe this vulnerability is being used in the latest Global Group campaign, because the target isn't hidden in the .lnk shortcut file properties."
"When Microsoft patched a vulnerability last summer that allowed threat actors to use Windows' shortcut (.lnk) files in exploits, defenders might have hoped use of this tactic would decline. They were wrong. According to researchers at Forcepoint, a new high-volume phishing campaign spreading the Global Group ransomware has been detected that hopes to sucker employees into clicking on an attachment in an email with the subject line 'Your document.'"
A new high-volume phishing campaign uses weaponized .lnk files to deliver Global Group ransomware through emails with the subject 'Your document'. The .lnk files silently retrieve and launch a second-stage payload by combining social engineering, stealthy execution, and Living-off-the-Land techniques. Similar campaigns have distributed the Aware ransomware variant and have been attributed to actors leveraging the Phorpiex (Trik) botnet. Concerns over malicious .lnk usage date to March 2025 when Trend Micro found thousands of .lnk files with hidden command-line arguments. CVE-2025-9491 was patched last summer, and the current campaign does not appear to rely on that specific flaw. Global Group emerged as a RaaS operation in June 2025 and is widely considered a rebranding of BlackLock and Mamona.
Read at Computerworld
Unable to calculate read time
Collection
[
|
...
]