Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1027.012: LNK Icon Smuggling

Adversaries may smuggle commands to download malicious payloads past content filters by hiding them within otherwise seemingly benign windows shortcut files. Windows shortcut files (.LNK) include many metadata fields, including an icon location field (also known as the `IconEnvironmentDataBlock`) designed to specify the path to an icon file that is to be displayed for the LNK file within a host directory.

Adversaries may abuse this LNK metadata to download malicious payloads. For example, adversaries have been observed using LNK files as phishing payloads to deliver malware. Once invoked (e.g., Malicious File), payloads referenced via external URLs within the LNK icon location field may be downloaded. These files may also then be invoked by Command and Scripting Interpreter/System Binary Proxy Execution arguments within the target path field of the LNK.[1][2]

LNK Icon Smuggling may also be utilized post compromise, such as malicious scripts executing an LNK on an infected host to download additional malicious payloads.

EnterpriseT1027.012Sub-techniqueObject v2.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

LNK Icon Smuggling matters because a Windows shortcut can look harmless while carrying metadata that points to an external payload. For leaders, the practical issue is not the shortcut file itself; it is whether email, web, endpoint, and SOC processes can inspect shortcut metadata and respond when a user or script causes a download through that hidden icon-location field.

Executive priority

Prioritize this where Windows endpoints, phishing exposure, or post-compromise payload staging are material to operations. The control decision is whether endpoint prevention, antimalware, and monitoring can catch suspicious LNK behavior before it becomes malware execution or follow-on access. This technique also has audit value: teams should be able to show evidence that shortcut files, child processes, and unexpected external downloads are monitored, not just that standard malware scanning is deployed.

Technical view

This is a Windows sub-technique of Obfuscated Files or Information under the stealth tactic. ATT&CK describes adversaries abusing the LNK icon location field, also known as IconEnvironmentDataBlock, to reference external URLs and download payloads when the shortcut is invoked. The object has no official ATT&CK detection text, but it is related to DET0405, Detection Strategy for LNK Icon Smuggling. SOC and IR teams should validate whether they can parse LNK metadata, identify external icon paths or URLs, and correlate LNK invocation with command and scripting interpreter or system binary proxy execution activity referenced by the ATT&CK description.

Likely telemetry

  • Windows endpoint file events for .LNK creation, modification, download, and execution context
  • Parsed LNK metadata, especially icon location / IconEnvironmentDataBlock values
  • Process creation telemetry showing shortcuts leading to command interpreters or trusted system binaries
  • Network telemetry for outbound downloads initiated after LNK interaction or script-driven LNK execution
  • Email, web, or file gateway evidence for shortcut-file delivery where available

Detection direction

  • Confirm whether detection content inspects LNK metadata rather than only file extension, hash, or attachment name.
  • Hunt for .LNK files with external URL references in icon-location metadata, especially when followed by network retrieval or suspicious child-process activity.
  • Correlate user-invoked shortcuts with command and scripting interpreter or system binary proxy execution patterns noted in the ATT&CK description.
  • Tune for false positives from legitimate shortcuts that reference network or remote icon locations; require context such as unusual source, user path, recent delivery, or follow-on process/network behavior.
  • Use the ATT&CK relationship to DET0405 as a cue to evaluate a dedicated detection strategy, but do not assume coverage unless local telemetry and rules prove it.

Mitigation priorities

  • Deploy and validate endpoint behavior prevention capable of blocking suspicious process, file, API, and endpoint event patterns associated with malicious shortcut activity.
  • Maintain antivirus/antimalware coverage and update processes across Windows endpoints, recognizing that signature-only approaches may miss metadata-based abuse.
  • Review controls for handling shortcut files delivered through common user-facing channels and ensure suspicious LNK behavior is escalated into SOC triage.
  • Include LNK metadata review in incident response collection when phishing or post-compromise payload download is suspected.
Analyst notes and limits

ATT&CK maps this technique to use by Gamaredon Group, Kimsuky, Mustang Panda, and TONESHELL, but that should be treated as historical ATT&CK relationship context, not proof of current targeting or local exposure. The strongest local validation will come from endpoint, process, file, and network evidence around Windows shortcut handling.

The supplied ATT&CK object does not provide official detection guidance, detailed procedure examples, or environment-specific prevalence. Recommendations are therefore framed as validation and control-prioritization steps based on the official description, platform, tactic, external references, and stated mitigation/detection relationships.

Official MITRE ATT&CK definition

LNK Icon Smuggling

Adversaries may smuggle commands to download malicious payloads past content filters by hiding them within otherwise seemingly benign windows shortcut files. Windows shortcut files (.LNK) include many metadata fields, including an icon location field (also known as the `IconEnvironmentDataBlock`) designed to specify the path to an icon file that is to be displayed for the LNK file within a host directory.

Adversaries may abuse this LNK metadata to download malicious payloads. For example, adversaries have been observed using LNK files as phishing payloads to deliver malware. Once invoked (e.g., Malicious File), payloads referenced via external URLs within the LNK icon location field may be downloaded. These files may also then be invoked by Command and Scripting Interpreter/System Binary Proxy Execution arguments within the target path field of the LNK.[1][2]

LNK Icon Smuggling may also be utilized post compromise, such as malicious scripts executing an LNK on an infected host to download additional malicious payloads.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1027 Obfuscated Files or Information This object subtechnique of Obfuscated Files or Information.
Associated objects

Groups, software, and campaigns

Group Enterprise

G0094: Kimsuky

Kimsuky is a Democratic People's Republic of Korea (DPRK)-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter experts in various fields. Its operations expanded to include the United Nations and organizations in the government, education, business services, and manufacturing sectors across the United States, Japan, Russia, and Europe. Kimsuky has focused collection on foreign policy and national security issues tied to the Korean Peninsula, nuclear policy, and sanctions. Kimsuky operations have overlapped with those of other North Korean state-sponsored cyber espionage actors as a result of ad hoc collaborations or other limited resource sharing.[1][2][3][4][5][6]

Kimsuky was assessed to be responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise; other notable campaigns include Operation STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and Operation Smoke Screen (2019).[7][8][9] In 2023, Kimsuky was observed using commercial large language models (LLMs) to assist with vulnerability research, scripting, social engineering and reconnaissance.[10]

DPRK threat actor cluster boundaries overlap in open source reporting, with some security researchers consolidating all attributed North Korean state-sponsored cyber activity under Lazarus Group, rather than tracking operationally distinct subgroups.

Group Enterprise

G0047: Gamaredon Group

Gamaredon Group is a suspected Russian cyber espionage group that has targeted military, law enforcement, judiciary, non-profit, and non-governmental organizations in Ukraine since at least 2013. The name Gamaredon Group derives from a misspelling of the word "Armageddon," found in early campaigns.[1][2][3][4][5]

In November 2021, the Ukrainian government publicly attributed Gamaredon Group to Russia’s Federal Security Service (FSB) Center 18, an assessment later supported by multiple independent cybersecurity researchers. [6][5]

Group Enterprise

G0129: Mustang Panda

Mustang Panda is a China-based cyber espionage threat actor that has been conducting operations since at least 2012. Mustang Panda has been known to use tailored phishing lures and decoy documents to deliver malicious payloads. Mustang Panda has targeted government, diplomatic, and non-governmental organizations, including think tanks, religious institutions, and research entities, across the United States, Europe, and Asia, with notable activity in Russia, Mongolia, Myanmar, Pakistan, and Vietnam. [1][2][3][4][5][6][7][8][9][10][11][12][13]

Relationship explorer

All related ATT&CK context

detects · Detection Strategy DET0405: Detection Strategy for LNK Icon Smuggling Enterprise subtechnique of · Technique T1027: Obfuscated Files or Information Enterprise mitigates · Mitigation M1049: Antivirus/Antimalware Enterprise uses · Group G0094: Kimsuky Enterprise mitigates · Mitigation M1040: Behavior Prevention on Endpoint Enterprise uses · Group G0047: Gamaredon Group Enterprise uses · Malware S1239: TONESHELL Enterprise uses · Group G0129: Mustang Panda Enterprise
Mitigations

Mitigation direction

Mitigation Enterprise

M1049: Antivirus/Antimalware

Antivirus/Antimalware solutions utilize signatures, heuristics, and behavioral analysis to detect, block, and remediate malicious software, including viruses, trojans, ransomware, and spyware. These solutions continuously monitor endpoints and systems for known malicious patterns and suspicious behaviors that indicate compromise. Antivirus/Antimalware software should be deployed across all devices, with automated updates to ensure protection against the latest threats. This mitigation can be implemented through the following measures:

Signature-Based Detection:

- Implementation: Use predefined signatures to identify known malware based on unique patterns such as file hashes, byte sequences, or command-line arguments. This method is effective against known threats. - Use Case: When malware like "Emotet" is detected, its signature (such as a specific file hash) matches a known database of malicious software, triggering an alert and allowing immediate quarantine of the infected file.

Heuristic-Based Detection:

- Implementation: Deploy heuristic algorithms that analyze behavior and characteristics of files and processes to identify potential malware, even if it doesn’t match a known signature. - Use Case: If a program attempts to modify multiple critical system files or initiate suspicious network communications, heuristic analysis may flag it as potentially malicious, even if no specific malware signature is available.

Behavioral Detection (Behavior Prevention):

- Implementation: Use behavioral analysis to detect patterns of abnormal activities, such as unusual system calls, unauthorized file encryption, or attempts to escalate privileges. - Use Case: Behavioral analysis can detect ransomware attacks early by identifying behavior like mass file encryption, even before a specific ransomware signature has been identified.

Real-Time Scanning:

- Implementation: Enable real-time scanning to automatically inspect files and network traffic for signs of malware as they are accessed, downloaded, or executed. - Use Case: When a user downloads an email attachment, the antivirus solution scans the file in real-time, checking it against both signatures and heuristics to detect any malicious content before it can be opened.

Cloud-Assisted Threat Intelligence:

- Implementation: Use cloud-based threat intelligence to ensure the antivirus solution can access the latest malware definitions and real-time threat feeds from a global database of emerging threats. - Use Case: Cloud-assisted antivirus solutions quickly identify newly discovered malware by cross-referencing against global threat databases, providing real-time protection against zero-day attacks.

**Tools for Implementation**:

- Endpoint Security Platforms: Use solutions such as EDR for comprehensive antivirus/antimalware protection across all systems. - Centralized Management: Implement centralized antivirus management consoles that provide visibility into threat activity, enable policy enforcement, and automate updates. - Behavioral Analysis Tools: Leverage solutions with advanced behavioral analysis capabilities to detect malicious activity patterns that don’t rely on known signatures.

Mitigation Enterprise

M1040: Behavior Prevention on Endpoint

Behavior Prevention on Endpoint refers to the use of technologies and strategies to detect and block potentially malicious activities by analyzing the behavior of processes, files, API calls, and other endpoint events. Rather than relying solely on known signatures, this approach leverages heuristics, machine learning, and real-time monitoring to identify anomalous patterns indicative of an attack. This mitigation can be implemented through the following measures:

Suspicious Process Behavior:

- Implementation: Use Endpoint Detection and Response (EDR) tools to monitor and block processes exhibiting unusual behavior, such as privilege escalation attempts. - Use Case: An attacker uses a known vulnerability to spawn a privileged process from a user-level application. The endpoint tool detects the abnormal parent-child process relationship and blocks the action.

Unauthorized File Access:

- Implementation: Leverage Data Loss Prevention (DLP) or endpoint tools to block processes attempting to access sensitive files without proper authorization. - Use Case: A process tries to read or modify a sensitive file located in a restricted directory, such as /etc/shadow on Linux or the SAM registry hive on Windows. The endpoint tool identifies this anomalous behavior and prevents it.

Abnormal API Calls:

- Implementation: Implement runtime analysis tools to monitor API calls and block those associated with malicious activities. - Use Case: A process dynamically injects itself into another process to hijack its execution. The endpoint detects the abnormal use of APIs like `OpenProcess` and `WriteProcessMemory` and terminates the offending process.

Exploit Prevention:

- Implementation: Use behavioral exploit prevention tools to detect and block exploits attempting to gain unauthorized access. - Use Case: A buffer overflow exploit is launched against a vulnerable application. The endpoint detects the anomalous memory write operation and halts the process.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
2.0
Created
Modified
Raw hash
2e170c15abf70c75...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 2.0 Current bundle 2e170c15abf7…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Unprotect Shortcut

    Unprotect Project. (2019, March 18). Shortcut Hiding. Retrieved October 3, 2023.

    Open source URL
  2. [2]
    Booby Trap Shortcut 2017

    Weyne, F. (2017, April). Booby trap a shortcut with a backdoor. Retrieved October 3, 2023.

    Open source URL
  3. [3]
    mitre-attack T1027.012
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use