"...The threat actors behind a recent case used macro in a more roundabout way, with a macro that searches for specific shortcut files in the user’s system, which it replaces with one that points to its downloaded malware. The downloaded malware executes when the user clicks on the modified desktop shortcut. After the malware executes, it recovers the original shortcut file to open the correct application again. The malware then “assembles” its payloads. Instead of using its own created tools, it downloads common tools available on the internet like various Windows tools, WinRAR, and Ammyy Admin to gather information and send back via SMTP..." https://blog.trendmicro.com/trendla...ijacks-desktop-shortcuts-to-deliver-backdoor/