Attackers Use Windows Shortcut Files to Deliver Global

A malware-as-a-service platform active for over a decade, the Phorpiex botnet has resurfaced, impacting the cyber threat landscape.

In a recent high-volume campaign, attackers are distributing phishing emails with the deceptive subject line “Your Document.”

These emails urge recipients to open an attachment that appears to be a harmless ZIP file containing a document. However, this is a calculated trap designed to deploy Global Group ransomware, a successor to the Mamona ransomware family.

The attack vector relies heavily on social engineering and the abuse of Windows Shortcut (LNK) files.

Attackers disguise these malicious shortcuts as legitimate documents by employing double extensions, such as “Document.doc.lnk.”

Because Windows often hides file extensions by default, unsuspecting users believe they are opening a standard Word file.

To further the illusion, the shortcut utilizes a standard icon from legitimate Windows resources, significantly reducing user suspicion and increasing the likelihood of a successful infection.

Forcepoint researchers identified the malware and noted that the infection process is designed for stealth and speed.

Once a victim clicks the malicious shortcut, it silently executes commands in the background.

The shortcut launches the Windows Command Processor, which subsequently invokes PowerShell to download a secondary payload from a remote server.

This payload, often named to resemble a Windows driver, is the Global Group ransomware itself. The entire process leverages “Living off the Land” techniques, using built-in system tools to avoid triggering traditional security alarms.

A Silent and Autonomous Threat

The most alarming aspect of Global Group ransomware is its ability to operate in a fully “mute” mode.

Unlike traditional ransomware that communicates with a central command-and-control server to retrieve encryption keys, this variant performs all its activities locally on the compromised machine.

It generates the encryption key directly on the host system, allowing it to execute successfully even in offline or air-gapped environments.

This autonomy makes it particularly dangerous, as it bypasses network-based detection systems that look for suspicious outbound traffic.

Furthermore, the malware employs aggressive anti-forensic tactics to cover its tracks. It uses a ping command as a timer to delay execution slightly before deleting its own binary from the disk.

By removing the initial executable, the attackers complicate post-incident investigations.

The ransomware also hunts for and terminates processes associated with analysis tools and databases, ensuring it can encrypt the maximum amount of data without interference.

To stay safe, organizations should block executable attachments like LNK files at the email gateway and prioritize endpoint monitoring.

Since this threat operates offline, behavior-based detection is critical to stopping the encryption process before data is permanently lost.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.