Aman Mishra
2025-07-21 16:30:00
gbhackers.com
A new wave of cyber-attacks has emerged, exploiting Windows shortcut files (.LNK) combined with legitimate system utilities collectively known as Living-off-the-Land Binaries and Scripts (LOLBin/S) to deliver the DeerStealer infostealer through highly obfuscated multi-stage chains.
Recent campaigns begin with phishing emails or fraudulent file shares containing weaponized .LNK files camouflaged as seemingly benign documents, often using misleading names such as “Report.lnk” or appearing as PDF icons.
When a victim executes the LNK file, it covertly launches the native Windows binary mshta.exe.
Leveraging MITRE ATT&CK technique T1218.005, mshta.exe is used by adversaries to bypass application controls, endpoint protection, and logging by proxying script execution through a signed, trusted binary native to the Windows OS.
Obfuscation is a key hallmark of this campaign. The LNK file embeds heavily scrambled PowerShell commands, frequently encoded in Base64 or obscured further through wildcard filesystem paths, which disables static signature detection.
The chain of execution proceeds through mshta.exe, which drops and executes additional scripts via cmd.exe and then PowerShell.
Notably, PowerShell dynamically resolves the System32 mshta.exe path at runtime, launches with obfuscated arguments, and disables diagnostic logging and profiling to minimize forensic artifacts.
Dynamic Script Execution
The core malicious payload, DeerStealer, is delivered in the background through a sequence of steps that highlight both technical sophistication and advanced evasive maneuvers.
After the initial dropper stage, the attack uses PowerShell to decode characters in pairs converting hexadecimal representations into ASCII to reconstruct the staged script.
This script, once assembled and executed using PowerShell’s Invoke-Expression (IEX), remains almost invisible until runtime.
Cloaking mechanisms extend into the next stages, where dynamic arrays containing URLs and binaries are obfuscated and resolved only in memory.
This not only thwarts conventional detection methods, but also keeps the infrastructure agile and resilient.
To minimize suspicion, DeerStealer downloads a benign-looking PDF document, presented to the user via Adobe Acrobat, which hides ongoing background activity.
Simultaneously, the core information stealer executable is written silently to the victim’s AppData directory and launched without visible prompts.
The malware thereafter persists on the system by amending registry keys or creating scheduled tasks, ensuring it can survive reboots and remain resident on the host.
ANY.RUN Sandbox Analysis
Dynamic sandboxing tools such as ANY.RUN have proved crucial in deconstructing the full execution graph of such evasive malware.
Using process tracing and memory instrumentation, analysts have tracked the flow from LNK execution, through mshta.exe and PowerShell decoding, all the way to data exfiltration.
Notably, DeerStealer employs anti-sandbox and anti-VM checks to thwart basic analysis, only activating its malicious routines on legitimate hardware.
DeerStealer specializes in harvesting a broad range of data: credentials from browsers and instant messaging clients, cryptocurrency wallets across numerous blockchains, and sensitive autofill data.
Exfiltrated payloads are compiled into encrypted containers, sent to remote command and control (C2) servers frequently protected by proxy domains a further layer of operational security.
Mitigation and detection in enterprise environments is especially challenging, given the abuse of signed Windows binaries, selective disabling of PowerShell logging, and highly diversified payload delivery routes.
Security organizations are encouraged to monitor for atypical mshta or PowerShell invocations, track child process trees, enable AMSI (Antimalware Scan Interface) integration, and scrutinize outbound network traffic for anomalies.
Indicators of Compromise (IoC)
| Type | Value |
|---|---|
| Malicious URL | https://tripplefury[.]com/ |
| SHA-256 Hash | fd5a2f9eed065c5767d5323b8dd928ef8724ea2edeba3e4c83e211edf9ff0160 |
| SHA-256 Hash | 8f49254064d534459b7ec60bf4e21f75284fbabfaea511268c478e15f1ed0db9 |
Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now
Keep your files stored safely and securely with the SanDisk 2TB Extreme Portable SSD. With over 69,505 ratings and an impressive 4.6 out of 5 stars, this product has been purchased over 8K+ times in the past month. At only $129.99, this Amazon’s Choice product is a must-have for secure file storage.
Help keep private content private with the included password protection featuring 256-bit AES hardware encryption. Order now for just $129.99 on Amazon!
Help Power Techcratic’s Future – Scan To Support
If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.
As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!
|
BITCOIN
bc1qlszw7elx2qahjwvaryh0tkgg8y68enw30gpvge Scan the QR code with your crypto wallet app |
|
DOGECOIN
D64GwvvYQxFXYyan3oQCrmWfidf6T3JpBA Scan the QR code with your crypto wallet app |
|
ETHEREUM
0xe9BC980DF3d985730dA827996B43E4A62CCBAA7a Scan the QR code with your crypto wallet app |
Please read the Privacy and Security Disclaimer on how Techcratic handles your support.
Disclaimer: As an Amazon Associate, Techcratic may earn from qualifying purchases.
