T1027.012 LNK Icon Smuggling
Adversaries may smuggle commands to download malicious payloads past content filters by hiding them within otherwise seemingly benign windows shortcut files. Windows shortcut files (.LNK) include many metadata fields, including an icon location field (also known as the IconEnvironmentDataBlock) designed to specify the path to an icon file that is to be displayed for the LNK file within a host directory.
Adversaries may abuse this LNK metadata to download malicious payloads. For example, adversaries have been observed using LNK files as phishing payloads to deliver malware. Once invoked (e.g., Malicious File), payloads referenced via external URLs within the LNK icon location field may be downloaded. These files may also then be invoked by Command and Scripting Interpreter/System Binary Proxy Execution arguments within the target path field of the LNK.12
LNK Icon Smuggling may also be utilized post compromise, such as malicious scripts executing an LNK on an infected host to download additional malicious payloads.
| Item | Value |
|---|---|
| ID | T1027.012 |
| Sub-techniques | T1027.001, T1027.002, T1027.003, T1027.004, T1027.005, T1027.006, T1027.007, T1027.008, T1027.009, T1027.010, T1027.011, T1027.012, T1027.013, T1027.014, T1027.015, T1027.016, T1027.017 |
| Tactics | TA0005 |
| Platforms | Windows |
| Version | 1.0 |
| Created | 29 September 2023 |
| Last Modified | 24 October 2025 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| G0047 | Gamaredon Group | Gamaredon Group has used LNK files to hide malicious scripts for execution.56 |
| G0094 | Kimsuky | Kimsuky has used the LNK icon location to execute malicious scripts. Kimsuky has also padded the LNK target field properties with extra spaces to obscure the script.4 |
| G0129 | Mustang Panda | Mustang Panda has utilized LNK files to hide malicious scripts for execution.78 Mustang Panda has also leveraged LNK files that were programmed to display a PDF icon to entice the victim to click on the file to execute an office.exe binary.3 |
| S1239 | TONESHELL | TONESHELL has been initiated using LNK files that were programmed to display a PDF icon to entice the victim to click on the file to execute an office.exe binary.3 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1049 | Antivirus/Antimalware | Use signatures or heuristics to detect malicious LNK and subsequently downloaded files. |
| M1040 | Behavior Prevention on Endpoint | On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent execution of potentially obfuscated scripts or payloads. |
References
-
Unprotect Project. (2019, March 18). Shortcut Hiding. Retrieved October 3, 2023. ↩
-
Weyne, F. (2017, April). Booby trap a shortcut with a backdoor. Retrieved October 3, 2023. ↩
-
CSIRT CTI. (2024, January 23). Stately Taurus Targets Myanmar Amidst Concerns over Military Junta’s Handling of Rebel Attacks. Retrieved August 4, 2025. ↩↩
-
Den Iuzvyk, Tim Peck. (2025, February 13). Analyzing DEEP#DRIVE: North Korean Threat Actors Observed Exploiting Trusted Platforms for Targeted Attacks. Retrieved August 19, 2025. ↩
-
Threat Hunter Team, Symantec and Carbon Black. (2025, April 10). Shuckworm Targets Foreign Military Mission Based in Ukraine. Retrieved July 23, 2025. ↩
-
Venere, G. (2025, March 28). Gamaredon campaign abuses LNK files to distribute Remcos backdoor. Retrieved July 23, 2025. ↩
-
Asheer Malhotra, Jungsoo An, Kendall Mc. (2022, May 5). Mustang Panda deploys a new wave of malware targeting Europe. Retrieved August 4, 2025. ↩
-
Secureworks Counter Threat Unit Research Team. (2022, September 8). BRONZE PRESIDENT Targets Government Officials. Retrieved September 9, 2025. ↩