Weaponized LNK File Masquerading as Credit Card Security Email Steals Data

AhnLab Security Intelligence Center (ASEC) has recently reported a sophisticated cyber threat campaign involving a malicious LNK file that slyly masquerades as a credit card security email authentication pop-up.

This newly detected threat uses a cleverly named file, card_detail_20250610.html.lnk, to lure unsuspecting recipients impersonating trusted credit card companies in an effort to harvest sensitive user data.

Historically, threat actors have leveraged PowerShell scripts for keylogging and data exfiltration.

However, in this latest operation, attackers have switched tactics, distributing a malicious DLL file to fulfill these roles.

What sets this incident apart is the deployment of a legitimate file specifically, a decoy HTML document executed in tandem with the LNK file.

This tactical move is designed to reduce suspicion and ensure that victims are less likely to recognize the malicious activity.

Upon launching the LNK file, the victim unknowingly initiates the download and execution of an additional HTA file and a bait HTML document directly from the threat actor’s remote server.

These files are temporarily stored and executed from the system’s temp directory. The bait HTML is crafted to closely resemble a genuine security pop-up from a credit card provider, furthering the illusion and increasing the likelihood of execution.

DLL-Based Payloads

The attack sequence escalates when the HTA file triggers the creation of two new artifacts in the user’s AppData\Local directory: a malicious DLL named sys.dll and a text file (user.txt) containing URLs for downloading further malicious components.

Utilizing the Windows utility rundll32.exe, the sys.dll file is executed, thereby activating additional malicious behaviors.

Acting on instructions found in user.txt, sys.dll downloads three more DLL files: app, net, and notepad.log.

Each of these is injected and executed using reflective DLL injection a technique prized by cybercriminals for its ability to load DLLs directly into memory, evading most traditional antivirus and security products.

Notably, the app DLL targets chrome.exe, injecting its code into the browser process to begin data theft immediately.

The main functions of these DLL payloads reflect a broad attack scope. The app DLL facilitates information theft from popular Chromium-based browsers, including Chrome, Brave, and Edge.

The net DLL expands on this by stealing credentials and sensitive data from a variety of browser and online service platforms such as Opera, Firefox, Google, Yahoo, Facebook, and Outlook.

Finally, notepad.log acts as a versatile backdoor enabling remote shell command execution, file listing and exfiltration, file downloads, and keylogging.

Captured keystrokes are stored locally in the user’s AppData\Local\netkey directory, while further keylogging data has been observed directly within system memory a channel commonly used by advanced infostealers.

Sophisticated Social Engineering

According to the Report, The campaign exemplifies the ongoing evolution in how attackers combine psychological manipulation with technical sophistication.

Malicious LNK files camouflaged as business documents or email prompts are now a frequent vector, with threat actors increasingly impersonating reputable organizations.

Users and enterprises are advised to heighten their vigilance and adopt proactive defense measures, such as endpoint detection solutions and user education on the dangers of unexpected files especially those appearing to reference familiar institutions.

Indicators of Compromise (IOC)

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.