New Malware Attack Uses LNK Files to Deploy REMCOS Backdoor on Windows Systems

The investigation began with the detection of two scanning IP addresses, 91.238.181[.]225 and 5.188.86[.]169 sharing a common Secure Shell (SSH) fingerprint (b5:4c:ce:68:9e:91:39:e8:24:b6:e5:1a:84:a7:a1:03).

Cybersecurity researchers have uncovered a sophisticated multi-stage malware campaign that leverages malicious Windows LNK shortcut files to deploy the REMCOS backdoor, a potent remote access trojan capable of full system compromise.

This fingerprint led to the identification of an expanded network of 138 servers through reconnaissance tools like Shodan and Fofa, highlighting a broader infrastructure potentially tied to the campaign’s command-and-control (C2) operations.

Discovery Through Network Probes

The attack chain, often initiated via phishing emails or malicious downloads, disguises the LNK file as innocuous documents such as invoices or Word files, exploiting Windows’ default behavior of hiding file extensions to deceive users.

Upon execution, the shortcut ...