A newly documented malware campaign is turning a familiar business workflow into an intrusion path: job applications. Researchers at AhnLab Security Emergency response Center (ASEC) say attackers are distributing malicious Windows shortcut files disguised as resumes, and when a user opens one, the file displays a decoy document while quietly triggering a multi-stage infection chain that installs the Xctdoor backdoor on the victim system.

What makes the operation stand out is not a software vulnerability or a zero-day, but the disciplined abuse of everyday Windows components. The campaign chains together PowerShell, VBScript, batch files, scheduled tasks, startup shortcuts, and DLL side-loading to maintain access while blending into normal system behavior.

Key Details

ASEC warns that the lures are designed to look like legitimate resume files and often include company names and job titles in the filename to increase credibility. When opened, the LNK launches a benign-looking decoy resume for the user while embedded malicious content begins running in the background, reducing the chance that the victim immediately recognizes the compromise.

The infection chain begins with the LNK writing several files with randomized names into C:\Users\Public\Videos\. These include .bat, .ps1, and .vbs files. A PowerShell component then registers a scheduled task named Office365 that runs every 10 minutes, ensuring persistence.

From there, the batch and script components fetch additional payloads from an external server using curl. Some of the downloaded data is Base64-encoded and decoded into a second-stage PowerShell script saved as C:\Users\Public\Pictures\p2.ps1.

This second-stage script creates a startup shortcut and reconstructs further payloads. Ultimately, the attack chain loads a legitimate executable, ProximityUxHost.exe, alongside a malicious DLL named ProximityCommon.dll.

The final payload, stored as settings.dat, is injected into a legitimate process, enabling the Xctdoor backdoor to establish communication with an external command-and-control server.

Technical Analysis

This attack demonstrates a sophisticated use of “living-off-the-land” techniques. Instead of relying on a single malicious binary, the attackers leverage built-in Windows scripting engines and utilities.

The attack begins with user execution, where the victim opens a malicious .lnk file. That action triggers a sequence of script executions using PowerShell and VBScript to download, decode, and deploy additional components.

Persistence is achieved through multiple layers:

• Scheduled task named “Office365” executing every 10 minutes
• Startup shortcut creation for automatic execution on login
• Script-based reloading mechanisms

The final stage relies on DLL side-loading, where a legitimate application loads a malicious DLL placed in the same directory. This technique allows attackers to run malicious code under a trusted process, making detection significantly more difficult.

The multi-stage nature, randomized filenames, and use of public directories like C:\Users\Public\ further reduce the likelihood of detection.

Key Indicators of Compromise (IoCs)

• Malicious resume-themed .lnk files
• Random .bat, .ps1, .vbs files in C:\Users\Public\Videos\
• p2.ps1 in C:\Users\Public\Pictures\
• Scheduled task: Office365
• Startup shortcut: Microsoft.Bing.lnk
• Suspicious files under C:\Users\Public\AppData\Local\Packages\Microsoft.BingSearch365
• ProximityUxHost.exe used for execution
• Malicious ProximityCommon.dll
• Backdoor payload settings.dat

Impact and Risks

This campaign specifically targets employees who regularly handle external documents. Recruitment teams, sales departments, and customer support units are particularly vulnerable because opening resumes and attachments is a routine task.

Once deployed, the Xctdoor backdoor provides persistent remote access to the attacker. This access can be used for:

• Data exfiltration
• Credential theft
• Lateral movement within the network
• Deployment of additional malware

The risk extends beyond a single endpoint. A compromised workstation can become a foothold for deeper network intrusion, potentially impacting critical systems and sensitive business data.

Expert Recommendations

Organizations should treat shortcut files as active threats rather than harmless links.

Key mitigation steps include:

• Block or restrict .lnk files from external sources
• Monitor process chains where LNK execution triggers PowerShell, WScript, or CMD
• Inspect scheduled tasks for suspicious or misleading names like “Office365”
• Audit startup folders for unknown shortcuts
• Monitor public directories (C:\Users\Public\) for unusual script activity
• Enable detailed logging for PowerShell and script execution

Security teams should also deploy behavioral detection rules that correlate user-initiated file execution with suspicious child processes and file creation.

Employee awareness is equally critical. Training programs should specifically highlight resume-based phishing scenarios, as these are highly convincing and contextually relevant.

Industry Context

This campaign reflects a broader shift in cyberattacks toward stealth and persistence rather than immediate impact. Attackers are increasingly relying on legitimate tools already present on systems to avoid detection.

PowerShell, VBScript, Task Scheduler, and DLL-loading mechanisms remain widely used across enterprises, making them ideal tools for attackers to exploit without raising suspicion.

The use of Xctdoor is also notable. This malware family has been observed in previous targeted campaigns and is known for maintaining long-term access and enabling remote command execution.

The combination of social engineering with native Windows tooling highlights a growing trend: attackers are designing campaigns that look indistinguishable from normal business activity.

Conclusion

The latest findings underscore how easily routine workflows can be weaponized. By disguising malicious LNK files as resumes and chaining multiple trusted Windows components, attackers have created a stealthy and resilient delivery path for the Xctdoor backdoor.

For defenders, the takeaway is clear. Detection strategies must go beyond signature-based approaches and focus on behavioral patterns across execution, persistence, and process activity.

Organizations that proactively monitor these signals will be far better positioned to detect and disrupt similar campaigns before they escalate.

FAQ SECTION

What is the Xctdoor backdoor?

Xctdoor is a malware family designed to maintain long-term access to compromised systems and communicate with external command-and-control servers.

How does the resume-based attack work?

The attack uses a malicious LNK file disguised as a resume. When opened, it runs hidden scripts that download malware, create persistence, and execute the Xctdoor backdoor through a trusted application.

Why is this attack difficult to detect?

It uses legitimate Windows tools like PowerShell and Task Scheduler, randomized file names, and DLL side-loading, allowing it to blend into normal system behavior.

Who is most at risk?

Recruitment teams, sales teams, and customer support staff are most at risk because they regularly open external documents like resumes.

What should organizations monitor?

Monitor for suspicious LNK execution, script activity in public directories, unusual scheduled tasks, startup shortcuts, and abnormal DLL loads in legitimate processes.