DeerStealer: New Malware Uses Stealthy LNK & LOLBins for Undetectable Data Theft
A newly uncovered malicious campaign involving the infostealer DeerStealer has been identified by researchers at ANY.RUN. Threat actors are employing a sophisticated tactic—combining Windows shortcut files (LNK) with trusted system utilities known as Living-off-the-Land Binaries and Scripts (LOLBins/LOLScripts). This multi-stage, stealth-driven strategy allows adversaries to bypass security mechanisms and evade early detection.
The attack is initiated through phishing emails or deceptive files distributed via shared access links. These files masquerade as innocuous documents—bearing names like “Report.lnk” and visually resembling PDF icons. When executed by the victim, the shortcut silently triggers the Windows utility “mshta.exe,” a native and digitally signed component trusted by the operating system. This renders the intrusion nearly invisible to application control and logging systems.
Particular emphasis is placed on obfuscating the code: malicious PowerShell commands embedded in the LNK file are often encoded in Base64, obscured with wildcard characters in file paths, and deeply buried within the payload. This prevents antivirus engines from detecting the threat using traditional signature-based methods. Once “mshta.exe” is invoked, the attack chain proceeds through “cmd.exe” and PowerShell, dynamically resolving system paths while disabling logging and profiling mechanisms.
Further execution involves multi-layered decryption and the real-time construction of the malicious script, which only materializes at runtime. The script is reassembled from encrypted character sets and executed via Invoke-Expression—an approach that renders pre-execution analysis ineffective.
Stealth is meticulously maintained at every stage: the URLs and binary components required to deploy DeerStealer are loaded into memory only when needed, greatly complicating network-based detection. To divert suspicion, the infection chain opens a decoy PDF document in Adobe Acrobat, keeping the victim unaware of any malicious activity.
Meanwhile, the main payload—a stealthy executable of the infostealer—is silently written to the AppData directory and launched. The malware ensures persistence by modifying registry entries or scheduling recurring tasks, thereby surviving system reboots undetected.
Dynamic sandbox analysis enabled researchers to trace the complete kill chain—from the initial LNK file to the covert exfiltration of data to remote servers. Notably, DeerStealer is designed to detect sandbox environments and activates only on genuine hardware, evading execution in virtual machines.
DeerStealer harvests a wide range of user data, including browser and messenger credentials, autofill information, and contents of cryptocurrency wallets. All exfiltrated data is encrypted and transmitted to command-and-control servers, which are further shielded behind proxy layers.
Combating such threats is particularly challenging due to the abuse of trusted system utilities and the suppression of PowerShell logs. Experts recommend enabling AMSI (Antimalware Scan Interface), closely monitoring anomalous activity involving mshta and PowerShell, tracking unusual child process creation, and thoroughly inspecting outbound network traffic.
