VYPR
researchPublished Jul 10, 2026· 1 source

Malicious Windows Shortcuts Deliver Backdoor via PowerShell and Node.js, Evading Detection

A sophisticated attack campaign uses disguised Windows shortcuts to deliver a backdoor, leveraging PowerShell and Node.js for execution and the TON blockchain for command and control.

A new and concerning attack campaign is leveraging seemingly innocuous Windows shortcuts (.lnk files) to establish a remote code execution foothold on victim systems. The campaign, identified by researchers at LevelBlue, begins with phishing emails containing ZIP archives. These archives conceal malicious LNK files, which are cleverly disguised to appear as image files by using legitimate icons. Upon execution, these shortcuts trigger a complex chain of events that bypasses standard security measures and installs a backdoor.

The attackers employ a multi-stage approach that combines built-in Windows tools with a legitimate Node.js runtime to make their malicious activity harder to detect. The initial PowerShell script, obfuscated using simple mathematical operations, reconstructs its command-and-control (C2) destination. This script then checks for the presence of Node.js. If not found, it downloads and installs a genuine Node.js package from the official website into the user's LocalAppData folder. This use of a legitimate, trusted runtime significantly lowers suspicion, as node.exe is a common and expected process.

Following the setup of the Node.js environment, the campaign decrypts and executes a heavily scrambled JavaScript payload. This payload utilizes a custom interpreter to process hidden instructions, further obscuring its malicious intent. To ensure persistence, the backdoor establishes a registry entry under the 'Run' key, allowing it to automatically restart when the user logs in. The process is designed to run in the background, with its window hidden and output suppressed, making it nearly invisible to the end-user.

The installed backdoor possesses significant capabilities, including the ability to download and execute further payloads, such as Windows executables, PowerShell scripts, or additional JavaScript files. Before launching any downloaded executable, the malware attempts to verify its legitimacy by checking if it resembles a valid Windows program. Crucially, it also tries to add an exclusion to Microsoft Defender for its own path, aiming to prevent its own detection and removal.

One of the most notable evasion techniques employed in this campaign is the use of the TON blockchain for command and control communication. Instead of embedding a static C2 server address directly into the malware, the attackers query a smart contract on the TON blockchain to retrieve the current C2 destination. This method, referred to as EtherHiding, allows the attackers to dynamically change their C2 infrastructure without needing to update the malware itself, making it considerably more difficult for defenders to block or disrupt the operation.

Researchers observed a high volume of related samples, with over 400 linked to a shared machine identifier, indicating a sustained and active campaign. The targeted nature of the phishing lures, which often mimic booking confirmations, suggests that organizations in the hospitality and travel sectors are primary targets. The campaign's reliance on social engineering, combined with its sophisticated technical execution, makes it a potent threat.

To mitigate this threat, organizations should exercise extreme caution with unexpected shortcut archives and links, especially those originating from external sources. Filtering or closely inspecting ZIP attachments and links from unverified senders is recommended. Security teams should also monitor for unusual PowerShell activity, the presence of new Node.js binaries in user directories, suspicious 'Run' registry entries, and unexpected requests to blockchain API services. Prompt incident response, including system isolation and network activity review, is crucial upon detection.

Synthesized by Vypr AI