VERY IMPORTANT

Huntress recently investigated a suspicious link file persisting in a user’s startup folder. The file was named “sysmon.lnk” and looked a bit fishy. After some quick initial investigation, we found that the link was executing a malicious Python script that was used to inject a remote access Trojan (RAT) onto the system. Along the way, Huntress encountered a total of six consecutive payloads and some new offensive tooling which we found pretty interesting. Towards the end, Huntress also experimented with some custom scripts for de-obfuscating data and extracting configuration from the final RAT, resulting in some juicy indicators of compromise (IOCs) with 0 detections on VirusTotal (as of June 2021).