Chollima APT Hackers Weaponize LNK Files to Deploy Sophisticated Malware

The resurgence of LNK‑based attacks reflects a broader shift among advanced threat groups toward abusing everyday Windows shortcuts to trigger malicious code. By embedding PowerShell commands within a seemingly innocuous shortcut, actors can launch file‑less payloads that leave no traditional executable on disk, making signature‑based detection ineffective. Coupling this technique with cloud services like Dropbox for command‑and‑control further obscures malicious traffic, as legitimate API calls blend with hostile communications, complicating network monitoring.

Technically, the ToyBox Story chain demonstrates a multi‑stage delivery pipeline. After a victim extracts the ZIP archive, the LNK file creates temporary files in %Temp% and runs a BAT script that loads XOR‑transformed data files (toy02.dat and toy01.dat). The decoded shellcode is injected directly into memory, spawning the RoKRAT RAT. RoKRAT gathers extensive system telemetry, captures screenshots, and exfiltrates information through AES‑CBC‑128 encryption, with the AES keys protected by RSA, ensuring confidentiality even if traffic is intercepted.

For defenders, the campaign underscores the necessity of behavioral analytics over static indicators. Blocking LNK execution from email attachments, enforcing strict cloud‑application policies, and deploying endpoint detection and response solutions that can flag anomalous PowerShell activity are critical steps. Organizations handling politically sensitive data should also consider network segmentation and continuous monitoring of outbound traffic to cloud providers, as the “Living off Trusted Sites” model increasingly blurs the line between legitimate and malicious communications.