Layered shortcuts are a chain of shortcut files, often Windows .lnk files, where one shortcut launches another until the final payload runs. Each step can disguise the real destination, add delay, or pass execution through a benign-looking file name. This makes the launch path harder to spot than a single obvious executable.
In cyber attacks, layered shortcuts are used to hide the true malware entry point and to separate the lure from the payload. They help attackers evade simple file-based detection because defenders may see only a document or shortcut at first, not the command that finally starts the malware. Defenders look for suspicious shortcut targets, unusual command lines, and process lineage that shows a chain of clicks or launches leading to scripts, loaders, or RATs. Watching how a shortcut resolves, rather than trusting its icon or name, is key to catching this technique.



