Attackers move away from Office macros to LNK files for malware delivery
For years attackers have used Office documents with malicious macros as one of the primary methods of infecting computers with malware. Microsoft finally took steps to disable such scripts by default in documents downloaded from the internet, forcing many groups to change tactics and increasingly choose LNK (shortcut) files as a delivery mechanism.
This trend has led to the creation of paid tools and services dedicated to building malicious LNK files. Some of these builders include MLNK Builder, Quantum Builder, Macropack, LNKUp, Lnk2pwn, SharPersist, and RustLnkBuilder, but their use can provide opportunities for easier detection by security products.