Skip to main content
Shortcut to Compromise: LNK-in-Archive PowerShell Phishing operation cover
COMING SOONBeginner

Shortcut to Compromise: LNK-in-Archive PowerShell Phishing

A finance clerk at Brightwater Logistics opens an invoice-themed ZIP and double-clicks a shortcut disguised as a document. The shortcut launches an obfuscated PowerShell loader that drops a CAB archive, expands it, runs a VBScript and batch chain, sets registry persistence, and beacons to attacker C2. Walk the mail gateway and endpoint logs step by step to trace the delivery, the loader, the persistence, and the callout.

25m
6 tasks
25 points
Free

Launches tomorrow

Jul 3, 2026

Friday, July 3, 2026 at 9:00 AM

Create your free account

Be ready the moment it drops — free forever.

Training Tools

EmailSIEM

What you'll investigate

6 objectives unlock when this operation goes live.

1Brief: an invoice that was really a shortcut
2Find the file the clerk actually clicked
3Trace what the loader wrote to disk
4Pin down how the malware survives a reboot
5Identify where the host phoned home
6Map the trigger to MITRE ATT&CK

Be first when it launches

Create your free account now. The moment this operation goes live on Jul 3, 2026, you can jump straight in — and you'll have the rest of the catalog to train on meanwhile.

Get Started Free

No credit card required — free forever