Researchers has attributed a recent campaign leveraging malicious LNK files in its infection chain to the Higaisa APT. The initial LNK file, which is delivered inside a RAR archive, is responsible for a series of commands. First, it creates a copy of itself and certutil. Then a base64-encoded blob stored inside the LNK file is decoded using the copy of certutil. The decoded content is then decompressed, which leads to the creation of a JS file, a tmp file containing shellcode, a decoy PDF, and an executable. The decoy document varied but included fake CVs and IELTS test results. This file is opened during the infection process to distract users. Upon execution, the JS file stores the output of ipconfig in a file, exfiltrates that file to a remote URL, and establishes persistence for the aforementioned executable via both the Startup folder and a scheduled task. The executable acts as a loader for the shellcode stored in the tmp file. Once loaded by the executable, the shellcode runs in memory and makes HTTPS requests to a C2 server.