← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
New Malware Campaign Uses LNK Files to Deliver REMCOS Backdoor
WHITE CODERED_VTA 2025-08-04 Modified: 2025-09-03
15
IOCs
MEDIUM VOLUME
A recent surge in malware attacks has been observed, exploiting Windows shortcut (LNK) files to deploy the REMCOS backdoor. Attackers disguise these shortcuts as harmless documents or folders, taking advantage of Windows’ default setting to hide file extensions.
lnk filefilepowershellpif filewindowsbyteprogramdataremcosshortcutbase64 decodingmalicioustargetinfo
Indicators of Compromise (3 / 15 total)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 560682cdcf395b5eb95487c7ef65c63e MD5 of e444d001f2b69259f7845a5ffe9a44113d90e382 2025-08-04
FileHash-MD5 8dfd65a4a301df30212fb84caec3f380 MD5 of 8bc668fd08aecd53747de6ea83ccc439bdf21b6d9edf2acafd7df1a45837a4e1 2025-08-04
FileHash-MD5 ae8066bd5a66ce22f6a91bd935d4eee6 MD5 of d2f97077fcf7e340a4262fa944ab13f133aa4e58 2025-08-04
References (1)
↗ https://www.pointwild.com/threat-intelligence/trojan-winlnk-powershell-runner