When users execute the LNK file, the malware simultaneously downloads and displays a legitimate-looking HTML page, effectively masking its malicious activities while maintaining the illusion of a genuine security process. This attack represents a concerning shift in malware distribution methods, leveraging the urgency and legitimacy associated with credit card security notifications to bypass user skepticism. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. Unlike traditional attacks that rely on document-based decoys, this threat actor employs HTML files to create convincing credit card company authentication interfaces. The notepad.log component functions as a comprehensive backdoor, providing remote shell access, file enumeration capabilities, and keylogging functionality that stores captured data in the C:\Users\{username}\AppData\Local\netkey directory. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. The HTA component subsequently creates two critical files in the C:\Users\{username}\AppData\Local directory: sys.dll (the primary malicious payload) and user.txt (containing download URLs for additional components). Cybercriminals have evolved their social engineering tactics with a sophisticated malware campaign that exploits users’ trust in financial institutions. The app module specifically targets Chromium-based browsers including Chrome, Brave, and Edge for credential harvesting, while net expands the scope to include Opera, Firefox, and major web services like Google, Yahoo, Facebook, and Outlook. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. The campaign demonstrates advanced evasion techniques by incorporating legitimate decoy files alongside malicious payloads. The researchers noted that threat actors have significantly enhanced their impersonation techniques, specifically targeting highly reputable financial organizations to maximize their success rates. Upon execution, the LNK file triggers the download of an HTA file and the decoy HTML document into the system’s temporary directory. ASEC analysts identified this emerging threat through their continuous monitoring of malware distribution campaigns.
This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 23 Jul 2025 22:45:10 +0000