Generates malicious LNK file payloads for data exfiltration
Switch branches/tags
Nothing to show
Clone or download


LNK Data exfiltration payload generator

This tool will allow you to generate LNK payloads. Upon rendering or being run, they will exfiltrate data.


I am not responsible for any actions you take with this tool!
You can contact me with any questions by opening an issue, or via my Twitter, @Plazmaz.

Known gotchas

  • This tool will not work on OSX or Linux machines. It is specifically designed to target windows.
  • There may be issues with icon caching in some situations. If your payload doesn't execute after the first time, try regenerating it.
  • You will need to run a responder or metasploit module server to capture NTLM hashes.
  • To capture environment variables, you'll need to run a webserver like apache, nginx, or even just this


Install requirements using
pip install -r requirements.txt


Payload types:

  • NTLM
  • Environment
    • Steals the user's environment variables.
    • Examples: %PATH%, %USERNAME%, etc
    • Requires variables to be set using --vars
    • Example usage: --host localhost --type environment --vars PATH USERNAME JAVA_HOME --output out.lnk


  • Use --execute to specify a command to run when the shortcut is double clicked
    • Example: --host localhost --type ntlm --output out.lnk --execute "shutdown /s"