Malicious LNK File Posing as Credit Card Security Email Steals User Data

Threat actors have deployed a malicious LNK file masquerading as a credit card company’s security email authentication pop-up to pilfer sensitive user information.

The file, named “card_detail_20250610.html.lnk,” cleverly disguises itself as a legitimate HTML document from a financial institution, exploiting user trust in routine security procedures.

Historically, these actors relied on PowerShell scripts for keylogging and data exfiltration, but this variant shifts to a downloaded DLL for enhanced stealth.

Infection Mechanism

To evade detection, the LNK file executes alongside a decoy file a legitimate HTML document mimicking a credit card authentication interface diverting user attention from the malicious activity.

This represents an evolution from traditional document-based decoys, such as PDFs or Word files, to HTML formats that blend seamlessly with web-based interactions.

Upon execution, the LNK file fetches an additional HTA (HTML Application) file and the bait HTML document from the attacker’s server, storing and running them in the system’s temporary folder.

The bait document displays a convincing pop-up that prompts users to interact, further masking the infection.

The HTA script then generates a malicious DLL named “sys.dll” and a text file “user.txt” containing URLs for further payloads, placing them in the C:\Users{username}\AppData\Local directory.

This DLL is invoked via rundll32.exe, initiating the core malicious behaviors. By referencing the URLs in user.txt, sys.dll downloads three additional DLLs app, net, and notepad.log employing Reflective DLL Injection to map them directly into memory.

This technique, prevalent in advanced malware, bypasses disk-based forensics and complicates endpoint detection and response (EDR) systems.

Notably, the “app” DLL is injected into an active chrome.exe process, enabling persistent operations within a trusted browser environment.

Malware Functions

The downloaded components exhibit specialized infostealer and backdoor capabilities.

The “app” DLL targets browser data from Chrome, Brave, and Edge, extracting credentials, cookies, and session information.

Complementing this, the “net” DLL broadens the scope by harvesting data from Chrome, Opera, Firefox, as well as services like Google, Yahoo, Facebook, and Outlook, focusing on login artifacts and email contents.

Meanwhile, “notepad.log” functions as a multifaceted backdoor, capable of executing remote shell commands, compiling file lists, exfiltrating documents, downloading additional files, and transmitting keylogging data.

Keylogging outputs are stored in the C:\Users{username}\AppData\Local\netkey directory, with traces also observable in memory, as evidenced by ASEC’s analysis of captured samples.

This campaign underscores the escalating sophistication of LNK-based attacks, where adversaries impersonate reputable organizations to lure executions.

Users are advised to scrutinize unexpected files, enable advanced threat protection, and verify sources before interaction.

ASEC notes that such malware distributions are ongoing, with techniques refining to exploit human psychology and system vulnerabilities.

Indicators of Compromise (IOCs)

Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now

Keep your files stored safely and securely with the SanDisk 2TB Extreme Portable SSD. With over 69,505 ratings and an impressive 4.6 out of 5 stars, this product has been purchased over 8K+ times in the past month. At only $129.99, this Amazon’s Choice product is a must-have for secure file storage.

Help keep private content private with the included password protection featuring 256-bit AES hardware encryption. Order now for just $129.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!