Trojan:Win32/WinLNK.AMCD

The technical process behind Trojan:Win32/WinLNK.AMCD infection starts with threat actors using sophisticated methods to deliver the initial malicious shortcut to the target device. One approach exploits the OAuth 2.0 protocol used by major identity providers. The threat actor creates a malicious application within their own tenant and configures the redirect URI to point to a server hosting the WinLNK payload. The target receives a phishing email with a link that initiates the OAuth flow. If the target is already authenticated with the provider, the browser silently completes the authorization and redirects to the threat actor's server, triggering an automatic download of a ZIP file containing the shortcut. This technique bypasses many network filters because the initial traffic goes to a legitimate, trusted domain. 

Another delivery method abuses search engine advertising platforms. In some campaigns, threat actors purchase advertisements on Google Ads and other services. They target keywords related to popular software, government services, or business tools. The ads use legitimate click-tracking domains to route victims through a series of redirects before landing on a compromised website that hosts the malicious ZIP file. Threat actors often use the legitimate ad domain ad[.]doubleclick[.]net as part of this redirection chain. This approach places the malicious link at the top of search results and leverages trusted advertising infrastructure to mask the destination. The payloads are often staged on compromised WordPress sites, which also serve as command-and-control points for later infection stages. 

The malicious .lnk file itself is carefully crafted to deceive users. Threat actors use icon smuggling to make the shortcut appear harmless. By setting the icon path to a legitimate Windows library like imageres.dll and specifying a specific icon index, the shortcut displays a text document or PDF in File Explorer. The file's target path points to a trusted Windows binary, almost always powershell.exe or cmd.exe. The command-line arguments passed to PowerShell contain heavily obfuscated malicious logic. Obfuscation techniques include randomizing the case of .NET class names, using pseudo-random strings for variable names to complicate pattern matching, and condensing the entire script into a single line. The shortcut properties also set up the PowerShell window to launch in a minimized or hidden state, so the user does not observe the script launch. The initial launch often creates a temporary LNK file at %TEMP%\test10.lnk, and delivery containers typically appear as compressed archives at %USERPROFILE%\Downloads*.zip containing the malicious shortcut. 

The PowerShell script triggered by the shortcut typically does not deploy the final payload directly. Instead, it acts as a stager that downloads a second-stage loader. This loader is often an AutoIt script along with a legitimate AutoIt interpreter. The AutoIt script is disguised as a PDF file to further the deception. Its main function is to decrypt and inject the final malware payload directly into the memory of a legitimate Windows process. This fileless launch method leaves minimal forensic evidence on the physical disk. Staging scripts and AutoIt binaries often reside in %LOCALAPPDATA%\Microsoft\Windows\INetCache\ as cached files downloaded during the infection chain. 

One prevalent payload delivered via WinLNK is a remote access trojan (RAT). After injection into memory, a RAT establishes communication with its command-and-control infrastructure, frequently hosted on the same compromised WordPress sites used for initial staging. The RAT provides comprehensive device management capabilities, including process manipulation, file operations, and data exfiltration. Threat actors can also use it as a downloader for additional malicious modules. The malware establishes persistence through variable-named entries in both HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and HKCU\Software\Microsoft\Windows\CurrentVersion\Run. 

Another variant delivers ransomware. After launching, the WinLNK enumerates user files and applies encryption optimized for speed. It fully encrypts files smaller than 10 megabytes. For files larger than 10 megabytes, it encrypts only the final 10 megabytes to complete the process quickly while still rendering the data inaccessible. It generates a unique AES key for encryption and exfiltrates this key to the threat actor using the legitimate Send-MailMessage PowerShell cmdlet through the SMTP server in[.]mail[.]tm. This exfiltration method blends malicious traffic with standard administrative activity. Payload requests for this variant come from domains including bonimoni[.]xyz and viterwin[.]club. The ransomware leaves DECRYPT_INSTRUCTION.html files containing ransom demands and encrypts user files with .tmp extensions throughout user directories. The email addresses 244zita@mechanicspedia[.]com and kit8280@punkproof[.]com receive exfiltrated ransomware metadata and serve as threat actor contact points. Some campaigns use encrypted communication for ransom negotiation. 

Some WinLNK campaigns use DLL sideloading to deliver the PlugX malware. The threat actor drops a legitimate signed binary, such as steam_monitor.exe signed by Valve, alongside a malicious DLL named crashhandler.dll. When the signed binary runs, it loads the DLL from its local directory because it expects to find a component with that name. Windows loads the malicious code into the process space of the trusted application, allowing the malware to run under the guise of a signed process. This technique significantly reduces the likelihood of behavioral detection. The PlugX variant establishes persistence through a Steam Monitor entry in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and uses the IP address 103[.]164.203[.]204 for command-and-control communication over port 443.