Global Group Ransomware Now Attacks Through Shortcut Files

Last summer, Microsoft addressed a vulnerability that allowed malicious actors to exploit Windows shortcut (.lnk) files. Many defenders may have hoped this tactic would diminish.

They were mistaken.

Forcepoint researchers have identified a new, widespread phishing campaign deploying Global Group ransomware. The campaign entices employees to click an email attachment, typically with the subject line ‘Your document.’

The attack mechanism involves a weaponized .lnk file.

“Through a combination of social engineering, discreet execution, and Living-off-the-Land (LotL) techniques, this file covertly retrieves and launches a secondary payload without triggering alarms,” stated Lydia McElligott, the report’s author. She also highlighted that the ‘Your document’ subject line has been frequently used in extensive phishing operations throughout 2024 and 2025.

This alert follows IBM’s discovery last month of a similar campaign that disseminated the Aware ransomware, a variant of the Global Group strain active in the current attacks.

In both instances, the cybercriminals behind these campaigns utilized the Phorpiex botnet, also known to researchers as Trik.

Concerns surrounding .lnk file vulnerabilities date back to March 2025, when Trend Micro documented thousands of malicious .lnk files containing concealed command-line arguments in campaigns observed since 2017. Mitja Kolsek of 0Patch later confirmed that this specific flaw (CVE-2025-9491) was discreetly fixed last summer.

However, McElligott believes this particular vulnerability is not being exploited in the current Global Group campaign, as the target is not hidden within the .lnk shortcut file’s properties.

Understanding Global Group: The Ransomware Operation

Global Group is a Ransomware-as-a-Service (RaaS) operation that surfaced in June 2025. Many researchers suspect it’s a rebrand of the earlier BlackLock and Mamona operations. Within its inaugural month, it reportedly impacted approximately 17 victims across diverse sectors and geographies. EclecticIQ researchers noted that by July 2025, Global Group maintained a dedicated leak site on the Tor network, with its actual IP address pointing to a Russia-based virtual private server (VPS) previously associated with the Mamona RaaS gang.

McElligott mentioned in an email that while its rapid emergence and growth were noteworthy, Global Group was not as prolific as leading ransomware operations during the same timeframe.

The Appeal of .LNK Files for Attackers

An .lnk file, or Windows Shortcut, functions as a pointer that facilitates the opening of files, folders, or applications. It adheres to the Shell Link binary file format, which stores information necessary to access data objects.

Forcepoint’s McElligott explained in her blog that Windows shortcut files remain one of the most straightforward methods to achieve code execution with a single click. In email inboxes, .lnk files can be disguised as standard documents using double extensions (e.g., Document.doc.lnk) and by exploiting Windows’ default setting that hides known file extensions. Consequently, she noted, most users perceive the filename as a Word document, rather than a shortcut capable of launching commands.

McAfee reported that after Microsoft deactivated Office macros by default, threat actors increasingly shifted to exploiting .lnk files. Furthermore, a June 2025 report by Palo Alto Networks highlighted that the versatility of .lnk files “makes them a potent tool for attackers, as they can both execute malicious content and impersonate legitimate files to trick victims into inadvertently initiating malware.”

Attackers also leverage familiar visual cues. By adopting icons from authentic Windows resources, such as shell32.dll, the attachment can instantly appear as a trusted file type. This combination of a “document-like name” and a recognizable icon diminishes user hesitation to click, proving particularly effective in high-volume phishing where speed and scale are crucial.

Once activated, McElligott elaborated, a shortcut can directly execute cmd.exe or PowerShell, transmit arguments stealthily, and link actions without deploying a visible installer. This seamless execution path explains why .lnk lures persistently feature in commodity campaigns: they are simple to create, easy to brand, and effectively bridge the gap between a phishing email and a payload delivery.

The phishing messages observed by Forcepoint should readily raise suspicion. The email’s content is minimal: “Hello, you can find your document in the attachment. Please reply as soon as possible. Kind regards, GSD Support.” Unlike more complex phishing attempts, it lacks a deceptive pretense (“This is in response to your message”) or urgent calls for action (“Urgent,” or “Please look at this and reply by end of day,”).

The sample email showed an attachment named ‘Document.zip,’ but its true name was ‘Document.doc.lnk.’ The objective is to conceal the .lnk extension. Clicking this file executes cmd.exe with embedded arguments that trigger PowerShell to download ransomware, write it to disk as a binary disguised as a legitimate Windows executable (e.g., windrv.exe), and then execute it.

A Unique Approach to Ransomware

Notably, the Global Group ransomware operates in a completely “mute” fashion – meaning it conducts all its activities locally on the compromised system rather than communicating with a command and control server. “This method is highly unusual,” McElligott noted in an email. “Typically, modern ransomware relies on network communication for encryption, data exfiltration, double extortion strategies, leak sites, and negotiation infrastructure. Stolen data is used to exert additional pressure on victims to meet ransom demands.”

The ransomware does not fetch an external encryption key; instead, it generates the key directly on the infected machine. Consequently, despite claims in its ransom note, no data is exfiltrated.

McElligott explained that exfiltrating data can prolong attacks and leave more forensic evidence. By concentrating solely on encryption, ransomware attacks can be launched more quickly, affect a greater number of victims, and be less prone to detection. In many scenarios, she added, data exfiltration isn’t necessary to compel payment, as encryption alone can lead to considerable downtime.

Given its ability to operate entirely offline, the Global Group ransomware is less likely to be detected via network traffic monitoring, McElligott stated. Indeed, it can even execute successfully in air-gapped environments.

“This offline-only approach also heightens its chances of evading detection in networks where monitoring primarily depends on observing unusual or suspicious traffic,” McElligott commented.

To thwart detection, the ransomware employs a ping command as a simple delay mechanism. This grants the malware sufficient time to complete its execution and cleanly exit memory before deleting itself from disk, thereby impeding forensic analysis.

The malware also incorporates anti-virtualization and anti-analysis capabilities. It enumerates running processes on the host system, searching for processes linked to virtualized environments used for malware analysis and sandboxing, as well as common analysis tools. Furthermore, it identifies and terminates database-related processes to unlock files, thereby increasing the volume of data available for encryption.

Mitigation Strategies

Security professionals should implement a multi-layered strategy to counter all ransomware threats, combining prevention, detection, rapid recovery, and user education to minimize the risk of succumbing to an attack, McElligott advised.

To mitigate a Global Group attack, she recommends that IT departments:

• Implement robust email security to identify phishing attempts.
• Limit access to native tools like PowerShell, WMI, and LolBins, while also restricting script execution, macros, and unsigned binaries.
• Utilize behavioral endpoint detection and response (EDR) systems to identify suspicious process chains.
• Segment IT networks to impede lateral movement of threats.
• Enforce least-privilege access, regularly rotate credentials, and monitor for unusual authentication activities.
• Maintain isolated, immutable backups to enable swift recovery if files are encrypted.

The Crucial Role of Security Awareness Training

Furthermore, security awareness training that educates employees on how to avoid clicking on potentially suspicious attachments serves as a primary defense. David Shipley, head of Canadian-based awareness training provider Beauceron Security, cautioned that many organizations conduct security awareness training and phishing tests merely to fulfill compliance requirements, rather than integrating them as a core component of a security-focused culture.

Compliance programs, he explained to Computerworld, merely aim to demonstrate that an activity was performed. A company with a genuine security culture should prove not only that phishing risk has decreased (lower click rates) and the reporting rate of suspicious activity has risen, but also that overall resilience has improved. This is measured by the post-click report rate (PCRR): how many individuals clicked a link, and of those, how many subsequently reported it.

“It’s an excellent indicator of both the willingness to admit an error and the level of psychological safety within an organization,” Shipley stated.

He further added that security professionals should note Microsoft’s recent Digital Defense report, which indicates that AI-powered phishing is 4.5 times more effective than previous phishing efforts, achieving a 54% click-through rate compared to the prior average of 12%.

Shipley asserted that research demonstrates the necessity of proper education, delivered quarterly, alongside challenging phishing simulations that reward positive behaviors such as reporting suspicious emails, if an organization aims to reduce click rates effectively.