By rssfeeds-admin 
The infection chain begins with a spear‑phishing email containing a ZIP archive that hides a single malicious .lnk file. Upon execution, the shortcut launches Microsoft Edge.
It opens a legitimate‑looking domain, anydesk[.]com, to distract the user while silently fetching a secondary payload from a lookalike domain, anydesck[.]net.
This background activity downloads a malicious MSI installer intended to establish persistence and deploy the final payload.
Analysts detected the behavior through Windows Installer event logs, specifically Application Event ID 11708, which signaled an installation failure when executed under a non‑privileged account. Systems with users who had administrative privileges likely experienced a full infection without a visible alert.
Infection Flow and Payload Analysis
If successful, the MSI file creates a temporary folder under %LOCALAPPDATA%TempMW-<UUID>files.cab, extracts its contents, and deploys an additional binary masquerading as dwm.exe within %LOCALAPPDATA%MicrosoftWindows.
The file acts as the command‑and‑control (C2) beacon used by MastaStealer to maintain persistence and exfiltrate stolen data.
The deployment process also runs a PowerShell command to modify Windows Defender settings. The attacker script runs:
textAdd-MpPreference -ExclusionPath "C:UsersadminAppDataLocalMicrosoftWindowsdvm.exe"
This effectively whitelists the malware directory, suppressing Defender’s real‑time scanning and allowing later-stage payloads to operate undetected.
Traffic analysis revealed outbound connections to two C2 domains, cmqsqomiwwksmcsw[.]xyz (38[.]134[.]148[.]74) and ykgmqooyusggyyya[.]xyz (155[.]117[.]20[.]75).
The communication pattern is consistent with previous MastaStealer infections that employ lightweight executables built to harvest credentials, browser cookies, and session tokens.
Detection and Mitigation
Organizations detected the campaign through correlated event log patterns, primarily MSI installation errors combined with PowerShell execution traces. Analysts recommend enabling advanced logging for Windows Installer and PowerShell event channels to spot suspicious activity early.
Defenders should also monitor for creation of unknown exclusions in Windows Defender via the registry or PowerShell, as these changes are frequently leveraged by modern stealers to bypass endpoint protection.
Blocking MSI downloads from untrusted sources and restricting the execution of LNK files originating from email attachments can significantly reduce exposure.
The campaign underscores the persistent effectiveness of Windows LNK exploitation in social‑engineering attacks.
By blending legitimate visual cues with stealthy background activity, MastaStealer continues to refine its defensive evasion tactics and remains a threat to enterprise environments relying solely on default system protections.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
The post MastaStealer Abuses Windows LNK Files to Run PowerShell and Bypass Defender appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.