DeerStealer Malware Uses .LNK Files to Evade Detection and Steal Data
July 23rd, 2025
High
Our Cyber Threat Intelligence Unit has identified an active campaign distributing DeerStealer malware through malicious Windows shortcut files (.LNK). These shortcuts mimic legitimate documents (e.g., “Report.lnk”) but execute Windows native binaries, such as mshta.exe, cmd.exe, and PowerShell to deliver and run the payload. DeerStealer is designed to gather sensitive data and send it to attacker-controlled servers. This living-off-the-land (LOL‑Bin) approach bypasses traditional file filters and leverages trusted OS components, increasing its stealth by exploiting user trust.
Technical Details
Malware Family: DeerStealer.
Severity: High.
Delivery Method: Weaponized .LNK files.
Technique: Obfuscated, multi-stage script execution (T1218.005 via mshta.exe).
Execution Chain: .lnk → mshta.exe → cmd.exe → PowerShell → Predator Payload.
Infection process:
Victim opens a seemingly benign .LNK (e.g., “Report.lnk”).
The shortcut launches mshta.exe, running obfuscated scripts with wildcard paths.
Scripts bypass logging/profiling, decode Base64/hex payloads, and execute them via PowerShell IEX.
A decoy PDF is displayed while DeerStealer silently installs in %AppData%.
DeerStealer exfiltrates data via HTTP POST to attacker servers.
Payload capabilities:
Browser/application credential theft.
Clipboard capture and system information harvesting.
Targeting cryptocurrency wallets and messaging apps.
Data exfiltration via HTTP.
Impact
The DeerStealer campaign presents several risks to organizations and individuals:
Credential theft, which allows unauthorized access.
Data loss, including personal and financial information.
Cryptocurrency compromise through wallet theft and clipper injection.
Identity theft, fraud, and the potential for follow-on phishing or lateral movement.
Detection Method
To detect and mitigate DeerStealer infections:
Monitor .LNK executions, particularly those received over email or messaging platforms.
Inspect PowerShell and script execution logs for suspicious activity initiated by shortcut files.
Capture PowerShell logs (if not disabled) and look for IEX/base64 decoding activity.
Monitor outbound HTTP POST requests to unfamiliar or suspicious domains.
Use EDR/AV to detect suspicious behavior with .LNK, mshta.exe, and script interpreter launches.
Implement YARA or Sigma rules targeting DeerStealer behavior and script signatures.
Indicators of Compromise
Type | Indicator |
Domain | tripplefury[.]com |
Hash | fd5a2f9eed065c5767d5323b8dd928ef8724ea2edeba3e4c83e211edf9ff0160 |
Hash | 8f49254064d534459b7ec60bf4e21f75284fbabfaea511268c478e15f1ed0db9 |
Recommendations
Block .LNK execution from untrusted sources.
Enforce strict application control to restrict execution of unauthorized scripts.
Disable script execution policies for non-administrative users.
Use email and IM filters to detect and quarantine .LNK files.
Employ EDR signatures to identify DeerStealer script patterns.
Educate users about the risks of opening suspicious icons or shortcut files.
Regularly update endpoint protection with signatures for DeerStealer and similar threats.
Conclusion
The DeerStealer campaign highlights a growing trend where attackers leverage trusted Windows components and misleading file types to evade detection and distribute malware. By weaponizing .LNK files and exploiting native execution processes, attackers bypass traditional defenses while capitalizing on user familiarity with shortcut files.
To mitigate these risks, we recommend that organizations enhance visibility into shortcut file behavior, enforce strict script execution policies, and raise user awareness about social engineering tactics. Combining proactive monitoring, endpoint controls, and layered security strategies is crucial for detecting and stopping DeerStealer and other stealthy information-stealing threats.