yuriaugustus 🏴‍☠️Oct 2, 2025

There’s a lot of fileless attack happening in Brazil. People send a zip in WhatsApp containing a .lnk file.

I couldn’t deep dive this yet, but some things are intriguing me. What the hell is this in the beginning of the command line?

C:\Windows\System32\cmd.exe /WMRX:F0E /WFXI:BNYE5S

Show threadJoshua Small
@yuriaugustus Wow this has me curious. It looks like cmd will accept any junk as long as it starts with a W??? Is this a misdirection?
Oct 3, 2025 at 12:13amWeb
Show threadyuriaugustus 🏴‍☠️Oct 3, 2025
@jsmall I didn’t find anything on this. I’ll try to take a look tomorrow and try to understand it. Basically it’s an obfuscated powershell running some malicious code, but this part is strange.