No specific attack group has claimed responsibility for the DeerStealer dispersal campaign. However, the sophistication of the techniques used suggests that this is a well-thought-out, deliberate campaign and aimed at individuals or organizations that own sensitive data, such as: Social media accounts, digital wallets, email accounts, or company-wide data.
The attack begins with a shortcut file called “Report.lnk” which is disguised as a report or document. When clicked, the file silently activates an existing Windows tool called “mshta.exe” (which runs HTML applications) to execute hidden malicious code.
This process doesn’t stop there. Mshta launches “cmd.exe” and then PowerShell, where a series of malicious code is decrypted step by step from Base64 encryption. Scripts were even designed to disable PowerShell’s logging and behavioral tracking, making detection nearly impossible with conventional security tools.
One of the most sophisticated user tricks of this campaign is that as soon as you open the “.LNK” file, a fake PDF will be downloaded and opened in Adobe Reader. While the user was viewing the document, DeerStealer malicious code was silently written to the% AppData% directory and activated in the background.
Malicious code download addresses are created from scrambled character sequences, which helps them avoid IOC (Indicators of Compromise) index-based filtering tools. The malicious code even tests the exact location of mshta.exe on each infected machine rather than using a fixed path, making detection even more difficult.
Researchers from the malicious code analysis platform “ANY.RUN” tracked the entire attack sequence in real time and said:
-
The campaign uses multiple layers of encryption and “system – based survival” (LOLBin) techniques such as mshta.exe, PowerShell
-
The malicious code can adjust its behavior depending on the environment to avoid detection
-
Scalability rapidly if automated via email spam or phishing tools
For both personal and business users, it’s time to take extra precautions with any “.LNK” attachment, even if the file name sounds “reasonable” such as “report”, “invoice”, or “contract”.
Recommendations:
-
Warn users not to open unfamiliar.LNK,.zip,.exe files, especially via email.
-
Enhanced monitoring of PowerShell behavior, mshta.exe, and unusual shortcuts by EDR, Sysmon, or Wazuh.
-
Update the IOC and new attack techniques to SIEM for early detection, especially for indexes related to DeerStealer.
-
Restrict your ability to create Scheduled Task, monitor the Registry Run to reduce the likelihood of malware crashes.
-
Turn off or limit mshta.exe if not necessary
-
Update your antivirus software and enable behavioral analysis
-
For businesses, it’s recommended to implement a real-time monitoring and deep checks of PowerShell operations in the internal system
-
Provides internal training on malicious shortcut file identification and modern deceptive techniques.
