Ddos 
Attack chain | Image: Forcepoint
A high-volume phishing campaign has been spotted in the wild, reviving an old but effective tactic to deliver the Phorpiex botnet. Forcepoint researchers have observed a wave of emails with the subject line “Your Document,” a simple lure that has proven surprisingly resilient throughout 2024 and 2025.
The campaign relies on a weaponized Windows Shortcut (.LNK) file disguised as a harmless document to gain an initial foothold on victim machines.
The attack chain begins with a phishing email containing a ZIP attachment. Inside is not a Word document or PDF, but a malicious .LNK file.
“In inboxes, a .Ink can be disguised as a normal document by using double extensions (for example, Document.doc.Ink) and relying on Windows default settings that hide known file extensions,” the report explains.
To the average user, the file looks legitimate. Attackers further the deception by borrowing icons from trusted Windows resources like shell32.dll, making the shortcut appear as a standard document file type.
Once clicked, the shortcut executes a PowerShell command that silently retrieves the next stage of the payload. This technique, known as “Living off the Land” (LotL), uses legitimate system tools to carry out malicious actions, making detection difficult for traditional antivirus software.
“By combining social engineering, stealthy execution, and LivingofftheLand (LotL) techniques, the file silently retrieves and launches a second stage payload without raising suspicion,” Forcepoint notes.
The final payload in this chain is Phorpiex (also known as Trik), a long-standing botnet known for distributing ransomware and cryptominers.
The persistence of .LNK attacks highlights a fundamental gap in user awareness and operating system design. Despite being a known vector for years, the ability to hide file extensions by default in Windows continues to provide cover for attackers.
“Windows shortcut files are still one of the simplest ways to turn a single click into code execution,” the report states.
Organizations are advised to block .LNK files at the email gateway and ensure that Windows is configured to show all file extensions to help users identify suspicious attachments.
Related Posts:
- Massive Ransomware Campaign: LockBit Black Distributed by Phorpiex Botnet
- Phorpiex Botnet Now Deploying LockBit Ransomware in Automated Attacks
- Researchers found that backdoors hijacks desktop shortcuts to infect user devices
- Hidden Threat: Zero-Day Windows Shortcut Exploited by Global APT Networks
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
