Why LNK-Based Attacks Still Slip Through
In late 2025, Arctic Wolf Labs published research on an espionage campaign targeting diplomatic entities in Belgium, Hungary, and other European countries. The threat actor, a Chinese-affiliated group tracked as UNC6384, used spearphishing emails to deliver weaponized Windows shortcut, or LNK files, themed around legitimate European Commission meetings and NATO-related workshops.
When a recipient clicked the shortcut, a hidden PowerShell command launched a multi-stage infection chain that ultimately delivered the PlugX remote access trojan. The campaign exploited ZDI-CAN-25373, a Windows shortcut vulnerability disclosed in March 2025 that enables covert command execution by hiding it behind whitespace padding in a LNK file’s command-line arguments.
UNC6384’s use of it was a reminder of a broader problem: shortcut files still look routine to users and often receive less scrutiny than executables or macro-enabled documents. Once a malicious LNK runs, the most dangerous activity often unfolds at runtime through encoded scripts, staged archives, and signed-binary abuse, where static scanning and reputation checks can struggle to keep up.
The campaign has not stopped evolving since. In April 2026, The Hacker News reported that the same threat cluster, tracked across the industry as TA416, had resumed targeting European government and diplomatic organizations from mid-2025 onward, iterating through new delivery methods including OAuth redirect abuse, Cloudflare Turnstile challenge pages, and MSBuild-based execution while continuing to update its PlugX payload.
The Arctic Wolf research this article examines captures one stage in what is now a documented, ongoing operation and shows how MetaDefender Aether and Deep CDR™ Technology together close the gap between detection and prevention.
The UNC6384 Attack Chain
It started with a file most users would never question. The LNK file delivered in this campaign, named "Agenda_Meeting 26 Sep Brussels.lnk," weighed in at just 2.58 KB and referenced an authentic European Commission meeting on facilitating the free movement of goods at EU-Western Balkans border crossing points. This was a real agenda of a real event, with a shortcut that looked routine.
Stage 1: Initial access via malicious LNK
When the recipient double-clicked the shortcut, it silently invoked PowerShell with an obfuscated command that decoded and extracted a tar archive (rjnlzlkfe.ta) to the user's local Temp directory. The PowerShell command then used tar.exe to decompress the archive and launched the contents, while simultaneously opening a decoy PDF showing the actual meeting agenda. The victim saw a document. The attacker gained code execution.
Stage 2: DLL sideloading via a legitimate signed binary
The extracted archive contained three files: cnmpaui.exe, cnmpaui.dll, and cnmplog.dat. The first is a legitimate Canon printer assistant utility, digitally signed by Canon Inc. with a certificate issued by Symantec. The signature is valid because it was timestamped while the certificate was still active, meaning Windows continues to trust the binary even though the certificate itself expired in 2018 (Arctic Wolf).
This is where precision matters. The EXE is not malicious. It is a real Canon utility being abused for a specific purpose: when cnmpaui.exe runs, it searches for cnmpaui.dll in its own directory before checking system paths. By planting a malicious DLL with the same name alongside the legitimate binary, UNC6384 hijacked that search order and loaded their own code inside a trusted process.
Stage 3: Payload decryption and PlugX execution
The malicious cnmpaui.dll is a lightweight loader, just 4 KB in the October 2025 variant, designed to do one thing: decrypt and execute the third file, cnmplog.dat. That file is an RC4-encrypted blob containing the PlugX remote access trojan. The loader decrypts it using a hardcoded 16-byte key and maps the resulting payload directly into the memory space of the legitimate cnmpaui.exe process.
From that point forward, PlugX is running inside a signed, trusted binary. It establishes persistence through a registry Run key named "CanonPrinter," creates hidden directories with names like "SamsungDriver" or "DellSetupFiles" to blend into the environment, and communicates with command-and-control infrastructure over HTTPS on port 443, using randomized URL paths and a spoofed Internet Explorer user-agent string to blend in with normal web traffic.
From the first click to an active backdoor, nothing in this chain looked overtly malicious at first glance, and most of the truly suspicious behavior appeared only at runtime. Each stage was designed to look normal to static inspection and to execute where traditional filters were not looking.
Why Static Defenses Struggle with This Chain
Static defenses struggle with this chain because each stage is designed to look acceptable in isolation. What makes the campaign effective is not one obviously malicious file, but a sequence of trusted-looking components whose real intent only becomes visible at runtime. This pattern is not limited to shortcut files: attackers have also hidden payloads in seemingly innocuous image files and paired them with LNK-based delivery to evade traditional antivirus detection.
Why Static Defenses Struggle with This Chain
| Sahne | What the Defender Sees | Why It Passes Inspection |
|---|---|---|
| Malicious LNK | A 2.58 KB shortcut file referencing a diplomatic meeting | LNK files are low-risk by default; ZDI-CAN-25373 hides the PowerShell command behind whitespace padding that most metadata inspectors don't parse. |
| Signed Canon EXE | A legitimate PE32 binary with a valid, timestamped digital signature from a recognized publisher | Blocking it would flag every environment running Canon printer software. Reputation engines have no reason to distrust it. |
| 4 KB loader DLL | A minimal DLL with no overtly suspicious imports whose only job is to read, decrypt, and hand off execution | YARA rules can catch known variants, but a recompiled loader with a different key or decryption routine slips past static coverage. |
| Encrypted PlugX payload | An opaque .dat blob that never touches disk in decrypted form | File-based scanning never inspects the actual malware. The payload loads directly into the memory space of the trusted Canon process. |
That gap between what static tools can inspect and what really happens at runtime is where evasive campaigns thrive. Closing it requires a detection approach that can observe the full execution path, from initial file launch through every subsequent stage, and render a verdict based on behavior rather than appearance.
How MetaDefender Aether Exposes the Full Chain
MetaDefender Aether is OPSWAT's unified zero-day detection solution, combining four layers of analysis to inspect each file from multiple angles before returning a single trusted verdict.
- Threat reputation checks the file's hashes, metadata, and embedded indicators against global intelligence drawn from more than 50 billion indicators. In this chain, that helps identify what is already known and add context to what is not.
- Adaptive sandboxing then detonates the file in an emulated environment and observes the runtime sequence: the LNK launching PowerShell, the encoded command decoding a tar archive, the signed Canon binary loading an unsigned DLL, and the decrypted PlugX payload establishing persistence and reaching out to C2 (command and control) infrastructure.
- Threat scoring combines those results, reputation signals, and extracted indicators into a weighted risk score that accounts for the full behavioral context.
- ML-based similarity search compares the file and its behavior against known malware families and related activity, helping surface links to PlugX variants or similar DLL sideloading campaigns.
Together, the pipeline delivers up to 99.9% zero-day detection efficacy and returns a single trusted verdict per file, rather than forcing SOC analysts to reconcile separate reports manually. That matters when teams are triaging hundreds of files a day across email, MFT, ICAP, kiosks, storage, and cross-domain workflows.
A key differentiator in this chain is instruction-level emulation. Legacy VM-based sandboxes can miss malware that uses anti-VM evasion, timing delays, and environment checks to avoid full execution. MetaDefender Aether's adaptive sandboxing emulates CPU and OS behavior at the instruction level, which helps expose the full LNK-to-PowerShell-to-DLL sideloading sequence.
For SOC teams, the payoff is practical:
- Faster triage because the verdict is already correlated and MITRE-mapped
- Stronger blocking decisions because the verdict reflects runtime behavior rather than just static reputation
- Reduced false positives because MetaDefender Aether can distinguish between a legitimate signed binary being abused and a truly malicious payload
- Better zero-day readiness across file-ingestion points where these attacks enter the environment
How Deep CDR™ Technology Neutralizes the Trigger
Deep CDR™ Technology stops this chain before it starts by disarming the file that sets everything in motion. Where MetaDefender Aether reveals what a malicious file does at runtime, Deep CDR™ Technology helps ensure the file never gets the chance to execute.
The mechanism is specific to how LNK-based attacks work. A weaponized shortcut carries its malicious intent in embedded command-line arguments, in this case the encoded PowerShell invocation that decodes the tar archive and launches the payload chain. Deep CDR™ Technology identifies that embedded command and replaces it with a benign dummy command, preserving the shortcut in sanitized form while removing its ability to function as an attack trigger.
The result is a sanitized LNK workflow in which the original malicious behavior is neutralized before execution. No PowerShell execution, no archive extraction, no DLL sideloading, no PlugX. Paired together, MetaDefender Aether and Deep CDR™ Technology create a two-layer defense model.
Two-Layer Defense Model
| Layer | Teknoloji | Rol |
|---|---|---|
| Detect and understand | MetaDefender | Detonates the file, exposes the full multi-stage execution path, extracts behavioral IOCs, and returns a single trusted verdict. |
| Disarm and prevent | Derin CDR™ Teknolojisi | Neutralizes the malicious LNK command, preventing the shortcut from executing. |
That distinction matters in practice. MetaDefender Aether is the zero-day detection solution for files that need deep analysis, especially when the goal is to understand runtime behavior and make a confident verdict. Deep CDR™ Technology is the sanitization and prevention control for files whose content can be safely disarmed without breaking legitimate use. Together, they cover both sides of the problem: understanding what a threat does and ensuring it never gets the opportunity.
Why Precision Matters
Precision matters because not every file in an attack chain is malicious, and treating them all the same leads to overbroad detection that erodes trust in your tools. This campaign makes that clear.
The signed Canon printer utility (cnmpaui.exe) is a legitimate binary. It has a valid digital signature, a clean reputation, and a hash associated with legitimate software. Flagging it as malicious would generate false positives in environments where Canon printer software is installed, and it would train SOC analysts to distrust the alerts they receive.
The main IOCs (indicators of compromise) are the malicious DLL (cnmpaui.dll) and the behavioral chain it enables:
- Sideloading and decrypting an encrypted payload with a hardcoded RC4 key
- Mapping the decrypted PlugX binary into the memory space of a trusted process
- Establishing persistence through a "CanonPrinter" Run key
- Initiating HTTPS C2 traffic with randomized URL paths and a spoofed user-agent string
Those are the signals that matter most, and they only surface when a detection tool can observe behavior and distinguish between a trusted binary being abused and a genuinely malicious artifact.
This is where MetaDefender Aether's single trusted verdict becomes especially valuable. Rather than returning a flat "malicious" label across every file in the chain, the detection pipeline scores each component based on its observed behavior within the full execution context.
The signed EXE is recognized as a legitimate binary being used for sideloading. The DLL and the runtime behavior it produces are flagged as the real threat. That distinction gives security teams a clearer picture and reduces the manual effort required to separate signal from noise.
Static detection for the malicious DLL can also be strengthened with targeted rules such as YARA, and Arctic Wolf's published YARA signatures for the CanonStager loader are a useful starting point. But signature coverage is reactive by nature. In a chain like this, the real differentiator is behavioral visibility plus file neutralization.
Applying Layered File Security to Expose LNK-Based Attack Chains
LNK-based attacks keep working because they rely on a file type people see every day and rarely treat as dangerous. In a previous article, we pointed out that LNK files are ordinary Windows shortcuts that attackers can weaponize by hiding PowerShell or cmd.exe commands inside them, sometimes in ways that look harmless until the file is actually opened. That is exactly why campaigns like UNC6384’s continue to succeed: the shortcut looks familiar, but the behavior it triggers is anything but.
That pattern has held up across multiple campaigns. In our Emotet coverage, we explained why shortcut files were difficult to distinguish from normal documents, and that their extension was not displayed by default in Windows. This made them especially effective as delivery vehicles. The lesson is the same here: attackers do not need a brand-new trick when a familiar file type can still slip into everyday workflows and launch a multi-stage infection chain.
The answer is not to label every file in the chain as malicious. It is to apply layered file security that can expose runtime behavior, distinguish between a legitimate binary being abused and a malicious payload, and stop the trigger before it fires. Talk to an OPSWAT expert about how MetaDefender Aether and Deep CDR™ Technology can help your team detect, analyze, and prevent LNK-based attacks.
