← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
New Malware Campaign Uses LNK Files to Deliver REMCOS Backdoor
WHITE CODERED_VTA 2025-08-04 Modified: 2025-09-03
15
IOCs
MEDIUM VOLUME
A recent surge in malware attacks has been observed, exploiting Windows shortcut (LNK) files to deploy the REMCOS backdoor. Attackers disguise these shortcuts as harmless documents or folders, taking advantage of Windows’ default setting to hide file extensions.
lnk filefilepowershellpif filewindowsbyteprogramdataremcosshortcutbase64 decodingmalicioustargetinfo
Indicators of Compromise (15)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 560682cdcf395b5eb95487c7ef65c63e MD5 of e444d001f2b69259f7845a5ffe9a44113d90e382 2025-08-04
FileHash-MD5 8dfd65a4a301df30212fb84caec3f380 MD5 of 8bc668fd08aecd53747de6ea83ccc439bdf21b6d9edf2acafd7df1a45837a4e1 2025-08-04
FileHash-MD5 ae8066bd5a66ce22f6a91bd935d4eee6 MD5 of d2f97077fcf7e340a4262fa944ab13f133aa4e58 2025-08-04
FileHash-SHA1 b5e8c03f1ae874cacb5c593f7e26008f840d3c85 SHA1 of 8bc668fd08aecd53747de6ea83ccc439bdf21b6d9edf2acafd7df1a45837a4e1 2025-08-04
FileHash-SHA1 d2f97077fcf7e340a4262fa944ab13f133aa4e58 2025-08-04
FileHash-SHA1 e444d001f2b69259f7845a5ffe9a44113d90e382 2025-08-04
FileHash-SHA256 506ecb76cf8e39743ec06129d81873f0e4c1ebfe7a352fc5874d0fc60cc1d7c6 SHA256 of d2f97077fcf7e340a4262fa944ab13f133aa4e58 2025-08-04
FileHash-SHA256 5ec8268a5995a1fac3530acafe4a10eab73c08b03cabb5d76154a7d693085cc2 SHA256 of e444d001f2b69259f7845a5ffe9a44113d90e382 2025-08-04
FileHash-SHA256 8bc668fd08aecd53747de6ea83ccc439bdf21b6d9edf2acafd7df1a45837a4e1 2025-08-04
URL http://malicious.site/payload.hta 2025-08-04
URL http://shipping-hr.ro/m/r/r.txt 2025-08-04
URL https://shipping-hr.ro/m/r/r.txt' 2025-08-04
domain mal289re1.es 2025-08-04
domain malicious.site 2025-08-04
domain shipping-hr.ro 2025-08-04
References (1)
↗ https://www.pointwild.com/threat-intelligence/trojan-winlnk-powershell-runner