Description
Adversaries may smuggle commands to download malicious payloads past content filters by hiding them within otherwise seemingly benign windows shortcut files. Windows shortcut files (.LNK) include many metadata fields, including an icon location field (also known as the IconEnvironmentDataBlock) designed to specify the path to an icon file that is to be displayed for the LNK file within a host directory.
Adversaries may abuse this LNK metadata to download malicious payloads. For example, adversaries have been observed using LNK files as phishing payloads to deliver malware. Once invoked (e.g., Malicious File), payloads referenced via external URLs within the LNK icon location field may be downloaded. These files may also then be invoked by Command and Scripting Interpreter/System Binary Proxy Execution arguments within the target path field of the LNK.(Citation: Unprotect Shortcut)(Citation: Booby Trap Shortcut 2017)
LNK Icon Smuggling may also be utilized post compromise, such as malicious scripts executing an LNK on an infected host to download additional malicious payloads.
Platforms
Mitigations (2)
Antivirus/AntimalwareM1049
Use signatures or heuristics to detect malicious LNK and subsequently downloaded files.
Behavior Prevention on EndpointM1040
On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent execution of potentially obfuscated scripts or payloads.
Threat Groups (3)
| ID | Group | Context |
|---|---|---|
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has used the LNK icon location to execute malicious scripts.(Citation: Aryaka Kimsuky July 2025) [K... |
| G0047 | Gamaredon Group | [Gamaredon Group](https://attack.mitre.org/groups/G0047) has used LNK files to hide malicious scripts for execution.(Citation: SymantecCarbonBlack_Shu... |
| G0129 | Mustang Panda | [Mustang Panda](https://attack.mitre.org/groups/G0129) has utilized LNK files to hide malicious scripts for execution.(Citation: Cisco Talos MUSTANG P... |
Associated Software (1)
| ID | Name | Type | Context |
|---|---|---|---|
| S1239 | TONESHELL | Malware | [TONESHELL](https://attack.mitre.org/software/S1239) has been initiated using LNK files that were programmed to display a PDF icon to entice the victi... |
References
- Unprotect Project. (2019, March 18). Shortcut Hiding. Retrieved October 3, 2023.
- Weyne, F. (2017, April). Booby trap a shortcut with a backdoor. Retrieved October 3, 2023.
Frequently Asked Questions
What is T1027.012 (LNK Icon Smuggling)?
T1027.012 is a MITRE ATT&CK technique named 'LNK Icon Smuggling'. It belongs to the Stealth tactic(s). Adversaries may smuggle commands to download malicious payloads past content filters by hiding them within otherwise seemingly benign windows shortcut files. Windows shortcut files (.LNK) include many...
How can T1027.012 be detected?
Detection of T1027.012 (LNK Icon Smuggling) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1027.012?
There are 2 documented mitigations for T1027.012. Key mitigations include: Antivirus/Antimalware, Behavior Prevention on Endpoint.
Which threat groups use T1027.012?
Known threat groups using T1027.012 include: Kimsuky, Gamaredon Group, Mustang Panda.