On April 18, 2025, a malicious LNK file named “2025416-方案1-方案細節.pdf.lnk” was uploaded from Taiwan, which functions as a downloader for an executable file named “setup.exe” from a given URL. The executable installs a backdoor through a Python script and employs a persistent mechanism to maintain its operation. Affected: Taiwan, users of Windows systems, cybersecurity sector
Keypoints :
- Discovery of a malicious LNK file from Taiwan on April 18, 2025.
- The LNK file downloads and executes a malicious installer named setup.exe.
- Metadata reveals the LNK file was created on a machine named desktop-8g6b11u.
- Setup.exe installs a backdoor using a Python script that interacts with a command and control server.
- The backdoor employs a continuous loop to receive additional payloads.
- The first payload creates a Visual Basic script for persistence, running every 10 minutes.
- The second payload modifies the sleep duration of the backdoor.
- Malicious files and URLs involved were included in the analysis.
MITRE Techniques :
- T1064 – Scripting: The installer uses a Python script to function as a backdoor.
- T1059.001 – Command and Scripting Interpreter: Python: Exploits Python to create a backdoor that communicates with a C2 server.
- T1543.003 – Create or Modify System Process: Creates a scheduled task to ensure persistence.
- T1071.001 – Application Layer Protocol: Uses HTTP for command and control communications to eip.netask.workers[.]dev.
Indicator of Compromise :
- [File] 2025416-方案1-方案細節.pdf.lnk
- [Hash] f4bb263eb03240c1d779a00e1e39d3374c93d909d358691ca5386387d06be472
- [File] setup.exe
- [Hash] 4e256572e001b76872074878f8ecd2be3f237c9b3a18d0059e2f4a3888579b5b
- [URL] https://eip.netask.workers[.]dev
Full Story: https://dmpdump.github.io/posts/Python_Backdoor_TW/