{"id":15111,"date":"2025-07-29T11:10:16","date_gmt":"2025-07-29T11:10:16","guid":{"rendered":"\/cybersecurity-blog\/?p=15111"},"modified":"2025-07-29T14:05:18","modified_gmt":"2025-07-29T14:05:18","slug":"cyber-attacks-july-2025","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/cyber-attacks-july-2025\/","title":{"rendered":"Major Cyber Attacks in July 2025: Obfuscated .LNK\u2011Delivered DeerStealer, Fake 7\u2011Zip, and More"},"content":{"rendered":"\n

While cybercriminals were working overtime this July, so were we at ANY.RUN \u2014 and, dare we say, with better results. As always, we\u2019ve picked the most dangerous and intriguing attacks of the month. But this time, there\u2019s more. <\/p>\n\n\n\n

Alongside the monthly top, we are highlighting a key trend that\u2019s been powering campaigns throughout 2025: the top 5 Remote Access Tools most abused by threat actors in the first half of the year. <\/p>\n\n\n\n

The threats were investigated with ANY.RUN\u2019s Interactive Sandbox<\/a>, where you can trace the full attack chain and see malware behavior in action, and our Threat Intelligence Lookup<\/a> (available now for free), which helps you turn raw IOCs into actionable intelligence to better protect your organization. <\/p>\n\n\n\n

DeerStealer Delivered via Obfuscated .LNK and LOLBin Abuse <\/h2>\n\n\n\n

Post On X<\/a> <\/p>\n\n\n

\n
\"\"
Detailed DeerStealer attack chain<\/em> <\/figcaption><\/figure><\/div>\n\n\n

The recent phishing campaign delivers malware through a fake PDF shortcut (Report.lnk<\/em>) that leverages mshta.exe<\/em> for script execution, which is a known LOLBin technique (MITRE T1218.005<\/a>).  <\/p>\n\n\n\n

ANY.RUN\u2019s Script Tracer<\/a> reveals the full chain, including wildcard LOLBin execution, encoded payloads, and network exfiltration, without requiring manual deobfuscation.   <\/p>\n\n\n\n

View analysis session in the Sandbox<\/a> <\/p>\n\n\n\n

The attack begins with a .lnk<\/em> file that covertly invokes mshta.exe<\/em> to drop scripts for the next stages. The execution command is heavily obfuscated using wildcard paths. <\/p>\n\n\n

\n
\"\"
Fake Report.lnk detonated in the sandbox<\/em> <\/figcaption><\/figure><\/div>\n\n\n

To evade signature-based detection, PowerShell dynamically resolves the full path to mshta.exe<\/em> in the System32 directory. It is launched with flags, followed by obfuscated Base64 strings. Both logging and profiling are disabled to reduce forensic visibility during execution. <\/p>\n\n\n\n

Characters are decoded in pairs, converted from hex to ASCII, reassembled into a script, and executed via IEX. This ensures the malicious logic stays hidden until runtime.  <\/p>\n\n\n\n

The script dynamically resolves URLs and binary content from obfuscated arrays, downloads a fake PDF to distract the user, writes the main executable into AppData<\/em>, and silently runs it. The PDF is opened in Adobe Acrobat to distract the user.  
 
You can use Threat Intelligence Lookup to find malware samples using similar techniques with fake .lnk <\/em>files and PowerShell commands to enrich your company’s detection systems.  
 
Search for suspicious shortcut attachments: threatName:”susp-lnk”<\/a> <\/p>\n\n\n

\n
\"\"
Sandbox analyses of suspicious .lnk files<\/em> <\/figcaption><\/figure><\/div>\n\n\n

Query TI Lookup for a snippet in PowerShell command: commandLine:”| IEX”<\/a> <\/p>\n\n\n

\n
\"\"
PowerShell command search results<\/em> <\/figcaption><\/figure><\/div>\n\n\n

IOC for the threat detection and research:  <\/p>\n\n\n\n