title: LNK Icon Smuggling (T1027.012)
id: df00tech-t1027-012
status: experimental
description: "Adversaries abuse Windows shortcut (.LNK) files to smuggle malicious payloads past content filters. LNK files contain metadata fields including an icon location field (IconEnvironmentDataBlock) designed to specify an icon file path. Adversaries exploit this field to reference external URLs that trigger payload downloads when the LNK is invoked. They also abuse the LNK target path field to embed interpreter commands with obfuscated arguments, often padding target fields with extra spaces to hide the malicious portion from casual inspection. Threat actors including Kimsuky, Gamaredon Group, Mustang Panda, and TONESHELL malware have weaponized LNK files with spoofed PDF icons to trick users into executing malicious binaries."
references:
  - https://attack.mitre.org/techniques/T1027/012/
  - https://df00tech.com/detections/T1027.012
author: df00tech
date: 2026/04/13
tags:
  - attack.t1027.012
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Unknown
level: medium