Windows Shortcut Files Exploited by Global Group Ransomware Gang
185Cybercriminals are still finding ways to exploit Windows shortcut (.lnk) files, even after Microsoft patched a vulnerability last summer. A new wave of phishing campaigns is using these files to spread ransomware, specifically the Global Group ransomware. This shows that attackers continue to target Windows shortcuts as a simple way to trick users and deliver malicious payloads.
New Campaigns Using Weaponized Shortcut Files
Researchers at Forcepoint have identified a high-volume phishing campaign that relies on email attachments with the subject line “Your document.” The attached .lnk files are designed to look harmless but are actually weaponized. When clicked, they silently retrieve and launch a second-stage payload without alerting the user.
According to Lydia McElligott from Forcepoint, the attackers combine social engineering with stealthy execution techniques. They use what’s called Living-off-the-Land (LotL) tactics, which leverage legitimate Windows tools to avoid detection. The campaign has been heavily active throughout 2024 and into 2025, with the subject line “Your document” being a common lure in these large-scale phishing efforts.
Link to Broader Ransomware Trends
This campaign isn’t isolated. Last month, IBM detected a similar attack distributing the Aware ransomware — a variant of the Global Group strain. Both campaigns use the Phorpiex botnet, also known as Trik, to help distribute their malware. Phorpiex has been associated with various malicious activities over the years and is a common tool in cybercriminal operations.
The concern about the .lnk vulnerability dates back to March 2025. Trend Micro reported that thousands of malicious .lnk files containing hidden command-line instructions had been used in campaigns dating back to 2017. Although the specific vulnerability (CVE-2025-9491) was quietly fixed last summer, experts believe current attacks may not be exploiting that flaw directly. McElligott notes that the latest campaigns don’t seem to rely on hidden properties within the shortcut files themselves.
Understanding the Role of .lnk Files in Attacks
A Windows shortcut (.lnk) is simply a link that points to a file, folder, or application. Attackers can manipulate these files to execute malicious code when clicked. They often disguise these shortcuts as normal documents by adding double extensions like “Document.doc.lnk” and relying on Windows’ default setting to hide known file extensions. This tricks users into thinking they are opening a regular file, unaware that clicking the shortcut will execute harmful code.
Forcepoint’s Lydia McElligott explains that .lnk files are still one of the easiest ways for cybercriminals to turn a single click into malicious activity. Because they are so simple to create and manipulate, attackers frequently use them in phishing emails to deliver malware silently. This makes training users to recognize suspicious files more important than ever.
What Is Global Group and Its Growing Threat
Global Group is a ransomware-as-a-service (RaaS) operation that appeared in June 2025. Many experts believe it’s a rebrand of previous operations like BlackLock and Mamona. In its first month, it claimed about 17 victims across different industries and parts of the world. The group operates a leak site on the Tor network, where it threatens to publish stolen data unless ransoms are paid.
Interestingly, the real IP address of the leak site was linked to a Russian VPS provider previously used by the Mamona gang. While Global Group has shown rapid growth, McElligott notes that it’s not yet as prolific as some of the most active ransomware groups. Still, its emergence shows how quickly these operations can evolve and adapt their tactics.
Overall, these campaigns highlight the ongoing risks posed by malicious .lnk files and the importance of cybersecurity awareness. Organizations need to stay vigilant, train employees to spot suspicious emails, and keep their security tools updated to defend against these evolving threats.
What do you think?
It is nice to know your opinion. Leave a comment.