Answer Brief
AhnLab identifies a campaign distributing malicious LNK files masquerading as personal information consent forms to execute fileless PowerShell scripts, establish persistence via Windows Task Scheduler, deploy info-stealers and backdoors, and use decoy documents to evade detection, with observed TTP overlaps to Kimsuky-like activity.
Signal Timeline
A quick visual path for analysts before reading the full brief.
- 1
AhnLab identifies malicious LNK files disguised as privacy consent forms in circulation
- 2
Malicious LNK executes obfuscated PowerShell to download and run additional scripts
- 3
Attacker creates decoy documents and deletes original LNK to evade detection
- 4
Downloader and info-stealer scripts deployed via legitimate web services
Executive Summary: AhnLab identifies a campaign distributing malicious LNK files masquerading as personal information consent forms to execute fileless PowerShell scripts, establish persistence via Windows Task Scheduler, deploy info-stealers and backdoors, and use decoy documents to evade detection, with observed TTP overlaps to Kimsuky-like activity.
Why It Matters
The malicious LNK file campaign detected by AhnLab represents a sophisticated social engineering operation that weaponizes user trust in routine administrative documents by naming malicious shortcuts to mimic personal information consent forms—a file type commonly encountered in corporate, government, and healthcare workflows across South Korea. This tactic significantly lowers the psychological barrier to execution, particularly in environments where such forms are regularly distributed via email, internal portals, or document management systems, increasing the likelihood of accidental trigger by employees accustomed to processing such paperwork. The attack’s effectiveness is amplified by the use of Korean-language lures, which align with local user expectations and reduce scrutiny, making it a regionally optimized threat that may not translate identically to other linguistic contexts.
Technically, the infection chain begins with the execution of the LNK file, which does not contain the payload directly but instead triggers an obfuscated PowerShell script designed to operate entirely in memory—a fileless execution technique that avoids writing detectable artifacts to disk, thereby complicating traditional antivirus scans and forensic analysis. This approach reflects a broader attacker trend toward living-off-the-land binaries (LOLBAS) and memory-resident malware to enhance stealth and prolong dwell time. The initial PowerShell script then proceeds to generate two additional scripts in the user’s profile directory: one functioning as a downloader that retrieves encoded payloads from legitimate web services (such as cloud storage or public repositories), and another as a loader responsible for executing the downloader. By leveraging trusted external infrastructure for hosting malicious content, the attacker blends malicious traffic with normal background noise, reducing the likelihood of detection by network monitoring tools that rely on reputation-based filtering or known-bad IP lists.
Technical Signal
The downloader script extracts and executes embedded encoded data, which the attacker can modify at will, enabling dynamic payload delivery under a consistent infection vector. This capability allows the campaign to evolve its secondary payloads—such as ransomware, spyware, or additional backdoors—without changing the initial LNK lure, thereby enhancing campaign resilience and evasion. Observed variants of this script show code obfuscation and frequent re-encoding, suggesting active maintenance and adaptation by the threat actor to bypass signature-based defenses.
Persistence is achieved through the abuse of Windows Task Scheduler, where the loader script is configured to execute at predefined intervals or upon system events such as user logon or system reboot. This ensures the backdoor remains active across sessions, enabling continuous access for data exfiltration, command-and-control (C2) communication, or the deployment of additional malware stages. The scheduler’s legitimate function as a system automation tool makes it a prime target for abuse, and its use here underscores the importance of monitoring scheduled task registrations—particularly those pointing to scripts in non-system directories like user AppData or profile folders—as part of routine endpoint hygiene.
Operational Impact
A critical evasion tactic involves the dynamic generation and execution of a decoy document that visually mimics the expected consent form. When the user double-clicks the LNK file, this decoy is silently launched to create the impression of a normal document opening, effectively masking the malicious PowerShell activity occurring in the background. After the decoy is displayed, the original LNK file is deleted, removing an obvious indicator of compromise and further hindering detection by users or security tools that rely on file presence as an indicator of compromise (IoC). This multi-layered deception—combining social engineering, fileless execution, decoy deployment, and self-deletion—significantly increases the malware’s dwell time and reduces the likelihood of user-reported incidents.
The info-stealer component conducts comprehensive reconnaissance, collecting a wide array of system and environmental data including installed security products (to assess defense posture), operating system version, network configuration (including IP address and DNS settings), drive information, recently accessed or modified files, and currently running processes. This data enables the attacker to build a detailed profile of the victim environment, informing decisions about follow-on actions such as lateral movement, privilege escalation, ransomware deployment, or targeted data exfiltration. For example, knowledge of installed security solutions can help the attacker avoid detection or select evasion techniques tailored to specific endpoints, while network details may reveal opportunities for internal scanning or C2 communication via trusted channels.
What To Watch
Notably, the info-stealer’s behavior exhibits structural and operational similarities to past campaigns attributed to the Kimsuky threat group, particularly in its use of legitimate external services for data staging and exfiltration, its focus on systematic environmental reconnaissance, and its reliance on obfuscated PowerShell scripts delivered via social engineering lures. While AhnLab does not assert direct attribution, the observed TTP overlap suggests either convergent evolution among threat actors or possible reuse of tools, infrastructure, or operational knowledge. This resemblance is significant given Kimsuky’s known focus on South Korean entities and its history of leveraging similar lure themes, such as fake documents related to employment, taxation, or compliance.
For defenders, this incident underscores the necessity of moving beyond traditional email attachment scanning and adopting a layered defense strategy. Organizations should monitor for unexpected LNK file execution—especially those with document-like names in Korean or other local languages—and routinely audit PowerShell transcription logs, task scheduler entries for suspicious scripts, and outbound connections to unfamiliar or dynamically hosted domains. User training must emphasize verifying both file extensions and senders, even when filenames appear legitimate or familiar. In enterprise environments, endpoint detection and response (EDR) systems should be tuned to detect fileless PowerShell abuse, anomalous script generation in user directories, and irregular task scheduler registrations—particularly those executing from non-standard paths or with high frequency.
From a monitoring perspective, teams with operational exposure in South Korea should correlate internal telemetry—such as help-desk tickets, endpoint alerts, mail gateway detections, identity anomalies, blocked downloads, command-line activity, and suspicious script execution—with the behaviors described in the source. A match does not confirm attribution but can justify deeper investigation and tuning of detection rules. Over time, tracking whether similar malware families, delivery chains, file types, infrastructure choices, or attacker workflows appear across multiple South Korean sources can help distinguish isolated incidents from emerging regional trends, enabling more strategic threat intelligence allocation.
For organizations in government, finance, technology, healthcare, energy, and defense sectors operating in or with ties to South Korea, the recommended next step is not to treat this as an immediate incident-response trigger but to validate local exposure, identify relevant logs and monitoring points that would capture similar behavior, confirm the retention of official source links for reference, and determine whether the report warrants inclusion in a regional risk watchlist, detection backlog, or executive briefing on East Asia cyber threats. This approach ensures that the intelligence is used proportionally and contextually, avoiding overreaction while maintaining vigilance against a tactically sophisticated and regionally adaptive threat.
Event Type: security
Importance: high
Affected Companies
- AhnLab
Affected Sectors
- Cybersecurity
- Defense
- Energy
- Finance
- Government
- Healthcare
- Information Technology
- Technology
Key Numbers
- Number of observed malicious LNK variants: 6
- Primary infection vector: Disguised as personal information consent forms
- Persistence mechanism: Windows Task Scheduler registration
- Execution technique: Fileless PowerShell execution
- Data collected by info-stealer: Security product info, OS details, network settings, IP, drive info, recent files, running processes
- Backdoor capability: Decodes and loads malicious code into memory for remote access
Timeline
- AhnLab identifies malicious LNK files disguised as privacy consent forms in circulation
- Malicious LNK executes obfuscated PowerShell to download and run additional scripts
- Attacker creates decoy documents and deletes original LNK to evade detection
- Downloader and info-stealer scripts deployed via legitimate web services
- Backdoor loader establishes persistence via Windows Task Scheduler for repeated execution
Frequently Asked Questions
How does the malicious LNK file trick users into execution?
The LNK file uses a filename mimicking a legitimate personal information consent form, exploiting user trust in routine workplace documents to induce execution without suspicion.
What techniques does the malware use to avoid detection after execution?
The malware employs fileless execution via PowerShell, creates legitimate-looking decoy documents, deletes the original LNK file, and uses obfuscated scripts to hide malicious activity in memory and bypass traditional antivirus scans.
How does the attacker maintain persistence on infected systems?
The attacker registers a loader script in the Windows Task Scheduler to ensure repeated execution even after reboot, allowing the backdoor to remain active and receive further commands over time.
What data does the info-stealer component collect from infected systems?
The info-stealer gathers installed security product details, OS version, network configuration, IP address, drive information, recently modified files, and currently running processes to assess the victim environment and plan follow-on attacks.
What connection exists between this campaign and known threat actors?
The info-stealer’s behavior resembles past activities attributed to the Kimsuky group, particularly in its use of external services for data exfiltration and similar reconnaissance patterns, though AhnLab does not confirm direct attribution.