A recent Forcepoint report indicates that leveraging .lnk files for exploitation remains an effective tactic, despite its long history.
Last summer, Microsoft addressed a flaw that enabled malicious actors to exploit Windows shortcut (.lnk) files, leading many in the cybersecurity community to anticipate a decrease in this particular attack method.
However, those expectations proved incorrect.
Forcepoint researchers report the discovery of a widespread phishing campaign deploying Global Group ransomware, designed to trick employees into opening an email attachment titled ‘Your document.’
The malicious payload is delivered via a specially crafted .lnk file.
“This file leverages social engineering, covert execution, and Living-off-the-Land (LotL) methods to discreetly download and deploy a subsequent payload, all while avoiding detection,” explains Lydia McElligott, the report’s author. She also highlights that the subject line ‘Your document’ has been a prevalent feature in major phishing efforts across 2024 and 2025.
This alert regarding the current campaign comes after IBM’s discovery last month of a comparable campaign spreading the Aware ransomware, which is a variant of the Global Group strain implicated in the present attack.
Both campaigns utilized the Phorpiex botnet, also referred to as Trik by some researchers, as their operational infrastructure.
Concerns surrounding a .lnk file flaw emerged in March 2025, following Trend Micro’s disclosure of thousands of malicious .lnk files with concealed command line arguments used in campaigns since 2017. Mitja Kolsek from 0Patch confirmed that this specific vulnerability (CVE-2025-9491) was discreetly fixed last summer.
Nonetheless, McElligott suggests that this specific vulnerability is not employed in the current Global Group campaign, as the target is overtly visible within the .lnk shortcut file properties.
Understanding Global Group
Global Group is a Ransomware-as-a-Service (RaaS) entity that appeared in June 2025, widely suspected by researchers to be a rebranded version of the BlackLock and Mamona operations. In its inaugural month, it reportedly impacted around 17 victims spanning various sectors and global locations. EclecticIQ researchers noted that by July 2025, Global Group maintained a private leak site on the Tor network. The actual IP address for this site traced back to a Russian virtual private server (VPS) provider previously associated with the Mamona RaaS group.
McElligott communicated via email that despite its rapid emergence and growth as a new player, its output wasn’t particularly high when contrasted with more established ransomware groups during the identical timeframe.
The Appeal of LNK Files
A .lnk file functions as a Windows Shortcut, essentially a pointer designed to launch a file, folder, or application. It is built upon the Shell Link binary file format, which contains data necessary for accessing target objects.
According to Forcepoint’s McElligott in her blog, Windows shortcut files remain among the most straightforward methods to achieve code execution from a single user click. Within email inboxes, a .lnk file can mimic a standard document by employing dual extensions (e.g., Document.doc.lnk) and leveraging Windows’ default behavior of concealing known file extensions. For the average user, she noted, the file appears to be a Word document, rather than a command-executing shortcut.
McAfee indicates that after Microsoft deactivated Office macros by default, cybercriminals increasingly sought out vulnerabilities in .lnk files. Similarly, a June 2025 report from Palo Alto Networks researchers highlighted how the adaptability of .lnk files “establishes them as a potent instrument for attackers, capable of both executing harmful code and impersonating genuine files to trick victims into inadvertently deploying malware.”
Adversaries further exploit common visual signals. By utilizing icons sourced from legitimate Windows components, such as shell32.dll, the attachment can quickly appear to be a trustworthy file. This combination of a “document-like name” and a familiar icon minimizes user reluctance to click, which is particularly effective in large-scale phishing operations aiming for rapid distribution and broad reach.
Upon activation, as McElligott explained, a shortcut has the capability to directly launch cmd.exe or PowerShell, covertly transmit arguments, and initiate a sequence of actions without the need for a visible installer. This seamless process explains why .lnk file deception persists in routine campaigns: they are simple to create, straightforward to customize, and effectively connect a phishing email to the delivery of a malicious payload.
The phishing emails observed by Forcepoint are readily identifiable as suspicious. The content is brief: “Hello, you can find your document in the attachment. Please reply as soon as possible. Kind regards, GSD Support.” In contrast to more elaborate phishing attempts, these messages lack deceptive pretexts (like “This is in response to your message”) or urgent calls to action (“Urgent,” or “Please look at this and reply by end of day,”).
The attachment within the example email appeared as ‘Document.zip’, but its true name was ‘Document.doc.lnk.’ The intention is to conceal the .lnk extension. Activating this file initiates cmd.exe with embedded instructions that command PowerShell to download ransomware, save it to the system as a binary posing as a genuine Windows executable (e.g., windrv.exe), and then run it.
Atypical Approach
Remarkably, the Global Group ransomware functions in a completely silent manner, executing all its operations directly on the infected system without relying on a command and control server for communication. “This method is quite unusual,” McElligott noted in an email. “Normally, contemporary ransomware uses network connections for encryption, data theft, double extortion schemes, data leak sites, and ransom negotiation platforms. Exfiltrated data is typically leveraged to heighten the pressure on victims to meet ransom payments.”
This ransomware does not acquire an encryption key from an external source; rather, it creates the key locally on the compromised machine. Consequently, contrary to assertions in its ransom message, no data is actually removed from the system.
Data exfiltration can protract attacks and generate additional forensic evidence, McElligott clarified. By concentrating solely on encryption, ransomware operations can be executed more rapidly, impact a greater number of targets, and reduce the chance of detection. She further stated that, in numerous scenarios, data exfiltration is not essential for compelling payment, as encryption alone often results in substantial operational disruption.
Since Global Group ransomware can operate completely without an internet connection, she pointed out, it’s less prone to detection via network traffic monitoring. Indeed, it’s capable of execution even in air-gapped networks.
“Such an exclusive offline design further enhances its capacity to bypass detection in networks where surveillance predominantly depends on identifying unusual or suspicious traffic patterns,” McElligott commented.
To hinder discovery, the ransomware employs a ping command as a rudimentary timer, allowing the malware to complete its execution and cleanly exit memory before self-deleting from disk, thereby obstructing forensic investigation.
Moreover, the malware incorporates anti-virtualization and anti-analysis features, scanning active processes on the host system for those linked to virtualized settings typically used for malware examination and sandboxing, as well as for prevalent analysis utilities. It also pinpoints and terminates database-related processes to free up file locks, thus maximizing the quantity of data accessible for encryption.
Strategies for Mitigation
Cybersecurity professionals ought to implement a multi-layered strategy against all ransomware threats, integrating preventative measures, detection capabilities, swift recovery protocols, and heightened user awareness to minimize the risk of succumbing to an attack, advised McElligott.
To neutralize a Global Group attack, she suggests that IT departments:
- implement robust email security to identify phishing attempts.
- limit the use of integrated tools such as PowerShell, WMI, and LolBins, alongside restricting script execution, macros, and unverified binaries;
- utilize behavioral endpoint detection and response (EDR) systems to identify suspicious sequences of processes;
- divide IT networks into segments to prevent widespread lateral movement;
- enforce the principle of least privilege, regularly rotate credentials, and watch for unusual authentication patterns;
- keep isolated, unchangeable backups to ensure quick restoration if data becomes encrypted.
Crucial Role of Security Awareness Training
Furthermore, security awareness education that teaches employees to avoid clicking on potentially malicious attachments serves as a primary defense mechanism. David Shipley, who leads Canadian awareness training firm Beauceron Security, cautioned that many organizations conduct security awareness training and phishing simulations merely to satisfy compliance requirements, rather than integrating them as a vital component of a security-first culture.
He explained to Computerworld that compliance initiatives typically only aim to verify that a task was completed. Conversely, an organization fostering a strong security culture should demonstrate not only a decrease in phishing risk (lower click rates) and a rise in reporting suspicious incidents, but also an enhancement in overall resilience. This is achieved by assessing how many individuals clicked a link, and subsequently, how many of those reported it. This metric is referred to as the post-click report rate (PCRR).
“This provides an excellent gauge of both the readiness to acknowledge errors and the level of psychological safety,” Shipley stated.
He further mentioned that cybersecurity experts ought to be aware that Microsoft’s most recent Digital Defense report highlights AI-driven phishing as 4.5 times more successful than earlier phishing methods, achieving a 54% click-through rate compared to the prior average of 12%.
Shipley concluded that studies indicate that appropriate training, provided quarterly and coupled with challenging phishing simulations that commend beneficial actions such as reporting dubious emails, is essential for organizations aiming to lower click rates.
