DeerStealer Malware Hides in LNK File Using LOLBins

A recent phishing campaign has emerged, delivering the DeerStealer malware through weaponized shortcut files that exploit trusted Windows utilities. Disguised as a PDF titled “Report.lnk,” the file initiates a multi-stage infection chain using legitimate binaries in a technique known as Living off the Land. This tactic enables attackers to bypass traditional defenses, allowing DeerStealer malware to hide in naturally trusted system processes.

Security researchers identified the attack as a five-stage process: .LNK → mshta.exe → cmd.exe → PowerShell → DeerStealer. The malware dynamically resolves system paths and uses obfuscated Base64 scripts to evade detection. Analysts noted the use of mshta.exe aligns with MITRE ATT&CK technique T1218.005, indicating a high level of sophistication. To distract victims, the malware opens a decoy PDF while silently deploying its payload into the AppData directory. DeerStealer malware hides in naturally obfuscated command sequences that complicate forensic analysis.

Read the full report: https://cybersecuritynews.com/deerstealer-malware-delivered/