CyberSecurityBoard
Sponsor Register Login

Windows Mark of the Web Files LNK Stomping

The article explores a novel Windows security bypass technique involving the Mark of the Web (MOTW) feature and LNK files. MOTW is a security feature in Windows that tags files downloaded from the internet to enforce security policies. However, attackers have discovered a method called 'LNK stomping' that manipulates these LNK shortcut files to bypass MOTW protections, potentially allowing malicious code execution without triggering security warnings. This technique poses a significant threat as it can be used to evade detection by security software and exploit user trust in file shortcuts. The article details how the LNK stomping attack works, its implications for Windows security, and recommendations for organizations to mitigate this risk. It emphasizes the importance of updating security tools, educating users about the risks of opening unknown shortcuts, and monitoring for suspicious LNK file activity. This emerging threat highlights the need for continuous vigilance and adaptation in cybersecurity defenses against evolving attack vectors targeting Windows environments.

This Cyber News was published on cybersecuritynews.com. Publication date: Mon, 22 Sep 2025 08:45:14 +0000


Cyber News related to Windows Mark of the Web Files LNK Stomping

Windows Mark of the Web Files LNK Stomping - The article explores a novel Windows security bypass technique involving the Mark of the Web (MOTW) feature and LNK files. MOTW is a security feature in Windows that tags files downloaded from the internet to enforce security policies. However, ...
3 months ago Cybersecuritynews.com
How Attackers Are Using .LNK Files As a Delivery Mechanism For Malware - Recent research indicates that attackers have moved away from the traditional malicious Office attachment macro in favor of .LNK files. These files, once opened, run malicious scripts intended to deliver malicious payloads onto the host machine, ...
2 years ago Csoonline.com
Unpatched Windows Shortcut Vulnerability Let Attackers Execute Remote Code - Security researcher Nafiez has publicly disclosed a previously unknown vulnerability affecting Windows LNK files (shortcuts) that can potentially allow attackers to execute code remotely without user interaction. As security researchers from Intezer ...
7 months ago Cybersecuritynews.com
Commit Stomping - An Offensive Technique Let Hackers Manipulate Timestamps in Git to Alter File Metadata - While not a bug or vulnerability, Commit Stomping exploits Git’s flexibility to rewrite the timeline of code changes, posing significant risks to software supply chain security, incident response, and code audits. Inspired by ...
7 months ago Cybersecuritynews.com
Weaponization of LNK Files Surge by 50% and Primarily Used in Four Different Malware Categories - These seemingly innocuous files, identifiable by their small arrow icon overlay, are increasingly being weaponized by threat actors to execute malicious payloads while maintaining a facade of legitimacy. Their research revealed that threat actors ...
5 months ago Cybersecuritynews.com
Hackers Weaponize PDF Along with a Malicious LNK File - Cybersecurity researchers have uncovered a new attack technique where hackers weaponize PDF files in conjunction with malicious LNK files to compromise systems. This sophisticated method leverages the trust users place in PDF documents, embedding ...
3 months ago Cybersecuritynews.com
WinRAR 7.10 boosts Windows privacy by stripping MoTW data - This allows the Mark-of-the-Web security feature to continue to work with extracted files, but the alternate data stream can no longer be used to learn where the file was downloaded. Modern file archives will propagate the MoTW found in archives to ...
10 months ago Bleepingcomputer.com
Threat Actors Weaponize LNK Files With New REMCOS Variant That Bypasses AV Engines - Cybercriminals are increasingly leveraging malicious Windows Shortcut (LNK) files to deploy sophisticated backdoors, with a new campaign delivering an advanced REMCOS variant that successfully evades traditional antivirus detection mechanisms. This ...
4 months ago Cybersecuritynews.com
Windows 10 Extended Security Updates Promised for Small Businesses and Home Users - Already common for enterprises, for the first time, individuals will also get the option to pay for extended security updates for a Windows operating system that's out of support. Windows 10 will stop getting free updates, including security fixes, ...
2 years ago Techrepublic.com
Five charged with fraud over $7M+ in alleged bogus expenses The Register - Mark Angarola, Allison Angarola, Jose Garcia, Michelle Cox, and Lisa Mincak were all arrested and charged in the US with one count each of wire fraud and wire fraud conspiracy, both of which carry a maximum sentence of 20 years in prison. Mark ...
1 year ago Go.theregister.com
Five charged with fraud over $7M+ in alleged bogus expenses The Register - Mark Angarola, Allison Angarola, Jose Garcia, Michelle Cox, and Lisa Mincak were all arrested and charged in the US with one count each of wire fraud and wire fraud conspiracy, both of which carry a maximum sentence of 20 years in prison. Mark ...
1 year ago Theregister.com
North Korean Hackers Weaponizing ZIP Files To Execute Malicious PowerShell Scripts - The LNK file contains embedded code that executes PowerShell commands to extract multiple components: a decoy HWPX document (a Korean document format), executable data files, and a batch script. While the security analyst, Mohamed Ezat from ZW01f ...
9 months ago Cybersecuritynews.com APT3 APT37
Ukraine Targeted by UAC-0050 Using Remcos RAT Pipe Method - Remcos RAT is a type of Remote Access Trojan used for unauthorized access and control of a computer system. It allows threat actors to perform various malicious activities like:-. Cybersecurity researchers at Uptycs recently discovered that the ...
1 year ago Gbhackers.com
New LNK Malware Uses Windows Binaries to Evade Detection - A new LNK malware strain has been discovered that leverages legitimate Windows binaries to evade traditional detection methods. This malware uses specially crafted LNK files to execute malicious payloads without raising suspicion. By abusing trusted ...
2 months ago Cybersecuritynews.com
Windows Incident Response: Round Up - MSSQL is still a thingTheDFIRReport recently posted an article regarding BlueSky ransomware being deployed following MSSQL being brute forced. I'm always interested in things like this because it's possible that the author will provide clear ...
2 years ago Windowsir.blogspot.com
New KoiLoader Abuses Powershell Scripts to Deliver Malicious Payload - Cyber Security News - This updated strain employs PowerShell scripts embedded within Windows shortcut (LNK) files to bypass traditional detection mechanisms, demonstrating a concerning evolution in attack methodologies. eSentire’s Threat Response Unit (TRU) first ...
8 months ago Cybersecuritynews.com
The U. S. Cyber Trust Mark: Providing Assurance That IoT Devices Are Trustworthy - It's safe to say that in 2023, the Internet of Things train has left the station and is full speed ahead. From smart thermostats in our homes, to wearable devices like fitness monitors, to remote security cameras and connected healthcare technology, ...
1 year ago Cyberdefensemagazine.com
8-Year Old Windows Shortcut Zero-Day Exploited by 11 State-Sponsored Groups - Some North Korean threat actors, such as Earth Manticore (APT37) and Earth Imp (Konni), have been using extremely large .lnk files – with sizes up to 70.1 MB – containing excessive whitespace and junk content to further evade detection. ...
9 months ago Cybersecuritynews.com APT37 APT3
DeerStealer Malware Delivered Via Weaponized .LNK Using LOLBin Tools - The malware masquerades as a legitimate PDF document named “Report.lnk” while covertly executing a complex multi-stage attack chain that leverages mshta.exe, a legitimate Microsoft HTML Application host utility. A sophisticated new ...
5 months ago Cybersecuritynews.com
New Windows zero-day exploited by 11 state hacking groups since 2017 - The Windows zero-day, tracked as ZDI-CAN-25373, is caused by a User Interface (UI) Misrepresentation of Critical Information (CWE-451) weakness, which allows attackers to exploit how Windows displays shortcut (.lnk) files to evade detection and ...
9 months ago Bleepingcomputer.com Mustang Panda CVE-2024-43461 APT37 BITTER Kimsuky Sidewinder APT3
CVE-2019-1188 - A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed. ...
1 year ago
Microsoft No Longer Selling Windows 10 Licenses Redirects to Windows 11 Product Pages - Marking an end to an era, Microsoft is no longer directly selling Windows 10 product keys on their website, instead redirecting users to Windows 11 product pages. This month, Microsoft began displaying an alert on their Windows 10 Home and Pro ...
2 years ago Bleepingcomputer.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)