Malicious Windows Shortcuts Use PowerShell and Node.js to Enable Remote Code Execution

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Spread the love

A malicious Windows shortcut is being used to turn a routine download into a full remote-code-execution foothold.

The campaign begins with convincing booking-themed spam and steers victims toward a ZIP archive that conceals a booby-trapped LNK file.

One click can quietly start a chain that installs a backdoor and gives attackers a path to run further commands.

Instead of relying on a single malicious program, the operators combine built-in Windows tools with a legitimate Node.js runtime.

This makes activity harder to spot because PowerShell, node.exe, and standard web services can appear normal in isolation. The approach also enables persistence, encrypted communications, and delivery of additional files after the first compromise.

Analysts at LevelBlue identified the activity while investigating an alert in a customer environment.

LevelBlue said in a report shared with Cyber Security News (CSN). Their findings show a campaign designed to hide each stage until the victim has already launched the shortcut.

Contents of the archive file (Source – LevelBlue)

The exposure is significant for organizations that handle frequent external messages, particularly hotels and travel-related businesses that may expect reservation correspondence.

Researchers observed new samples daily and linked more than 400 of them to a shared machine identifier, suggesting a sustained operation rather than an isolated spam run. Early samples also appeared in comments on public discussion forums.

Malicious Windows Shortcuts Use PowerShell and Node.js

The ZIP archive contains a shortcut disguised as an image by borrowing an icon from shell32.dll. When opened, it runs a hidden PowerShell command rather than displaying a photograph.

The command uses large numbers and simple math to rebuild its next address, a trick that keeps the destination from being plainly visible in the shortcut.

Decrypted payload (Source – LevelBlue)

That first script checks whether Node.js is available. If it is not, the attackers fetch a genuine Node.js package, unpack it under the user’s LocalAppData folder, then decrypt an encoded JavaScript payload. Using a trusted runtime lowers suspicion while providing the environment needed to launch the backdoor.

The JavaScript is heavily scrambled and uses a custom virtual-machine-style interpreter to process hidden instructions at runtime.

It checks for an existing dropped Node.js process, helping avoid duplicate copies, and creates a Run registry entry so it restarts when the user signs in. The process is launched detached, with its window hidden and output suppressed.

The backdoor can retrieve and run more content, including Windows executables, PowerShell, or JavaScript.

Before launching a downloaded executable, it verifies that the file resembles a valid Windows program and attempts to add an exclusion for its path in Microsoft Defender. Those actions can turn an initial shortcut click into broad control of the affected device.

Blockchain Retrieval Helps Backdoor Evade Disruption

Rather than storing a command-and-control address directly in the malware, the operators query a smart contract on the TON blockchain.

This EtherHiding method lets them change the destination without rebuilding the file, complicating blocking and takedown efforts. The backdoor then opens a WebSocket connection and uses key exchange and encryption.

Contract records revealed several previously used control domains, while payload-delivery and control servers sat behind Cloudflare.

Researchers also found recurring LNK names, including photo- and IMG-themed files, and a common MachineID value. Defenders should treat unexpected shortcut archives and booking links as suspicious, especially when they ask users to bypass download warnings.

Security teams can reduce risk by filtering or closely inspecting ZIP attachments and links from unverified senders, and by blocking unnecessary shortcut execution from email-originated files.

Monitoring for concealed PowerShell, new Node.js binaries in user folders, unusual Run registry entries, and requests to blockchain API services can help expose the chain early. Organizations should isolate affected systems and review related network activity promptly.

The campaign shows how familiar tools can be chained together to hide a serious intrusion. A harmless-looking image shortcut, a legitimate runtime, and a blockchain lookup each obscure a different part of the operation.

Prompt reporting of suspicious messages and preserving the original ZIP file can give incident responders the evidence needed to contain similar infections.

Indicators of compromise (IoCs):-

Type Indicator Description
Initial URL hxxps://share.google/YLoRYlokrW3iner8r Initial victim-access URL
Redirect URL hxxps://recordstrace[.]info/5bC6vVOeP9PI3B08 Redirected delivery URL
Download URL https://nodejs[.]org/dist/v24.13.0/node-v24.13.0-win-x64.zip Legitimate Node.js package abused by the chain
TON API URL https://tonapi[.]io/v2/blockchain/accounts/0c66119f0e5635c4380441d7a79baf0c02a0ab7ea6cd78de06507fc5dc2c1a5d9/methods/getdomain Smart-contract query used to obtain C2 data
TON account ID 0c66119f0e5635c4380441d7a79baf0c02a0ab7ea6cd78de06507fc5dc2c1a5d9 TON smart-contract account queried by the backdoor
C2 domain tonajukbhuakpo2[.]shop C2 recorded on June 2
C2 domain zloapobikahy23[.]bond Historical C2
C2 domain hsaertyuoang34[.]sbs Historical C2
C2 domain amanohuguta[.]cfd Historical C2
MachineID win-5r0dsv23ed0 Shared identifier observed across more than 400 related samples
File pattern photo-*.png.lnk Pattern used to identify related malicious LNK files
File pattern IMG-*.png.lnk Pattern used to identify related malicious LNK files
SHA-1 / C2 3d84d37393e244a76c24dfd9eebd0d20914166e6 / photobookadm[.]pro Related LNK sample and extracted C2
SHA-1 / C2 a5077656e98906385bea101548b462322cd947fa / flamecube[.]info Related LNK sample and extracted C2
SHA-1 / C2 aebce6479d7d5d0d7b59a3da020969ee465f8d36 / bigfrogs[.]info Related LNK sample and extracted C2
SHA-1 / C2 e9488c259d1e047a0ad11d4abf1bfc442f49b992 / photobookadm[.]pro Related LNK sample and extracted C2
SHA-1 / C2 d0fd605b18d8af766fb7beb94f3ef7397db4aa8a / hubsecure[.]info Related LNK sample and extracted C2
SHA-1 / C2 ded8575d8badffea8beaa2bbfcb364901b89065d / photobookadm[.]pro Related LNK sample and extracted C2
SHA-1 / C2 b6aab844ee021a684ebc236c1815e0d14ef15104 / tracerecord[.]info Related LNK sample and extracted C2
SHA-1 / C2 5daab9743a4c80415d7261d2c2b3720140890e2b / photobookadm[.]pro Related LNK sample and extracted C2
SHA-1 / C2 b3cefdff102b9984748ce3a94d67a76567a92e1b / bubblekip[.]info Related LNK sample and extracted C2
SHA-1 / C2 d6ffd15c58edac8cf0f5f829b6e248e2d933aa80 / checkphoto-bookin[.]com Related LNK sample and extracted C2
SHA-1 / C2 ee17aabe0180f62278f5bcf2ed887352ced66446 / photobookadm[.]pro Related LNK sample and extracted C2
SHA-1 / C2 5c21735b6a823a85730b03a71fe339082c417732 / strayweirds[.]info Related LNK sample and extracted C2
SHA-1 / C2 399712edc298a35e2cb643353b7fcfe4327e173b / bigfrogs[.]info Related LNK sample and extracted C2
SHA-1 / C2 fe18e053366ab393430d20d7bec523071f97fcc1 / flamecube[.]info Related LNK sample and extracted C2
SHA-1 / C2 69b570e6aa1d50e4bbd89c653eb1b97dab77f174 / photobookadm[.]pro Related LNK sample and extracted C2
SHA-1 / C2 5c80d4af9e9251f2303b88c51435dba09b24177a / hotelphotoadm[.]info Related LNK sample and extracted C2
SHA-1 / C2 b33043882bf31fa05a27243240361478e88963c0 / marmoteilefinance[.]com Related LNK sample and extracted C2
SHA-1 / C2 b6457f1e62be6d8121281a74b0eb75213a849be4 / lastnight[.]info Related LNK sample and extracted C2
SHA-1 / C2 c881d5fc0c8debcf17e869f863b50a8016674a70 / lastnight[.]info Related LNK sample and extracted C2
SHA-1 / C2 f5161d3f01fdd1acf77ff0808b3f732d9dd3a254 / fancystraits[.]info Related LNK sample and extracted C2
SHA-1 / C2 0cae9af236ae7ebbb072b058bb65ea6ed7592aae / book-photopage[.]info Related LNK sample and extracted C2
SHA-1 / C2 18949de1c7550d93e7d58ba545c2ab9703e47d51 / jsdakksd283ksl[.]com Related LNK sample and extracted C2
SHA-1 / C2 0a0378a8e1b2bcf2a6d71ee8d39572897a48ab46 / lastnight[.]info Related LNK sample and extracted C2
SHA-1 / C2 0993e576ea97208db8cd9ee651f6eb6382a6565a / photobookadm[.]pro Related LNK sample and extracted C2
SHA-1 / C2 18a720ebe0bc1ea1aeea9b495b419cc929c427aa / photo-pagebook[.]info Related LNK sample and extracted C2
SHA-1 / C2 27a7c5f0dcaf9ed18aa41340aa95d4d5778d7708 / keysrace[.]info Related LNK sample and extracted C2
SHA-1 / C2 4c98348b9bc57485d0624a5fc7838372566aacd7 / photobookadm[.]pro Related LNK sample and extracted C2
SHA-1 / C2 2f9d50d3b166a667fe6b7a05da7039a8029c79b3 / fellshow[.]info Related LNK sample and extracted C2
SHA-1 / C2 307c3a41a56e67ff6d3026c3cd6e35b751f1eafb / lastnight[.]info Related LNK sample and extracted C2
SHA-1 / C2 2aab7ce372244d0ad882c45cc76579f570d5993b / bigfrogs[.]info Related LNK sample and extracted C2
SHA-1 / C2 8a3889be09bab729a916b97ebbfda19afef828b7 / checkphoto-bookin[.]com Related LNK sample and extracted C2
SHA-1 / C2 cb1820283981c6f32db15d4220b8b8d39da5fc9a / photobookadm[.]pro Related LNK sample and extracted C2
SHA-1 / C2 8f0d6abefd133bd130c6fb897c764f199a08444c / photobookadm[.]pro Related LNK sample and extracted C2
SHA-1 / C2 c8f0d1447c6d3304b0f4d7e24bdd41b073f5e852 / tracerecord[.]info Related LNK sample and extracted C2
SHA-1 / C2 625cdb454461e7e82ba9b73028ddbdcbf0b5a7ab / photobookadm[.]pro Related LNK sample and extracted C2
SHA-1 / C2 aa70a6966cf3c430b768977cabdeb8aa2c2b39a3 / lightsnow[.]info Related LNK sample and extracted C2
SHA-1 / C2 2cab6043e2cf54bb1b46357798fba2d8d0d62e77 / book-photopage[.]info Related LNK sample and extracted C2
SHA-1 / C2 6a0bf6e890b24870597befcb447693a598fbd897 / hotelphotoadm[.]info Related LNK sample and extracted C2
SHA-1 / C2 85cf831025122ab3f411cd21b825eef4d6322b3d / bigfrogs[.]info Related LNK sample and extracted C2
SHA-1 / C2 a544e8b67f0989f89b556c61fedd67a84c7b1ae6 / photobookadm[.]pro Related LNK sample and extracted C2
SHA-1 / C2 b0f937a64f64d30fc341b23971ce7682ca725d9e / strayweirds[.]info Related LNK sample and extracted C2
SHA-1 / C2 435b00e224f2e001018ed52aff2bd35706614297 / keysrace[.]info Related LNK sample and extracted C2
SHA-1 / C2 be6494df5052cb6beffaef98a9cc063db0b9a1d4 / jsdakksd283ksl[.]com Related LNK sample and extracted C2
SHA-1 / C2 a56e3014116435cb8b928e33b16ac43f18beb733 / tracerecord[.]info Related LNK sample and extracted C2
SHA-1 / C2 0451e7e75af3c2917a38753db2642619b8f4a0fd / bookconfphoto[.]info Related LNK sample and extracted C2
SHA-1 / C2 7e05edb4a326c6b80ca937d602d43590bb73d68c / fancystraits[.]info Related LNK sample and extracted C2
SHA-1 / C2 f277f060ffcd3fbf34bb98884c8a9fa3f0f57845 / lastnight[.]info Related LNK sample and extracted C2
SHA-1 / C2 db68cbf2359df9835a9f85b29ec01e750e814e8b / book-imagegallery[.]info Related LNK sample and extracted C2
SHA-1 / C2 828f62be77939b3c738b6fcf43c2d308b59481f6 / deracefight[.]info Related LNK sample and extracted C2
SHA-1 / C2 0ddc606b48c4dd85cad09ffcb2fe560f68e63868 / deracefight[.]info Related LNK sample and extracted C2
SHA-1 / C2 b8d6bb8bf3291fdb3424abbf237f191c9db67a7c / lastnight[.]info Related LNK sample and extracted C2
SHA-1 / C2 54740686b96e9702cc376d6b04f89105d7700408 / bigfrogs[.]info Related LNK sample and extracted C2
SHA-1 / C2 4d901d5bd6c467f4bedfb0b968eb4c42902cf588 / keysrace[.]info Related LNK sample and extracted C2
SHA-1 / C2 d807a3f8dff4f9b8dc828b3e0ef56f85534a91d8 / lastnight[.]info Related LNK sample and extracted C2
SHA-1 / C2 b9205e4cc92be77dfd4c8767f86384a36520e331 / dsjkaksfks324das[.]com Related LNK sample and extracted C2
SHA-1 / C2 b196b2552a18b8112b72ed7aab4e8ddb1253a81e / tracerecord[.]info Related LNK sample and extracted C2
SHA-1 / C2 11838c2e3134991402e40a1744aa4c1f93447407 / photobookadm[.]pro Related LNK sample and extracted C2
SHA-1 / C2 b82652f33d382a96d9ab5f60dc7a6897dd0f5dfd / photo-pagebook[.]info Related LNK sample and extracted C2
SHA-1 / C2 fb9e1728a0017321fd74f6f9b860b1d5af05d392 / photo-26654[.]cfd Related LNK sample and extracted C2
SHA-1 / C2 5a944255ee92ba70654d6ed73a52b5de22942340 / hotelphotoadm[.]info Related LNK sample and extracted C2
SHA-1 / C2 7ae18cb6532f2ebb0b6231509541118b52583dc0 / photobookadm[.]pro Related LNK sample and extracted C2
SHA-1 / C2 e924650b4fb36679243e7e511fe8e1b00ab2fe6b / checkphoto-bookin[.]com Related LNK sample and extracted C2
SHA-1 / C2 717e816d99377e285f894457d7a662d85f39053f / fancystraits[.]info Related LNK sample and extracted C2
SHA-1 / C2 b255bda9419d919501ae89fadab3ba54e5c0e86b / lastnight[.]info Related LNK sample and extracted C2
SHA-1 / C2 65b2a34be17b3d31221d55f9829f7d876634eaed / tracerecord[.]info Related LNK sample and extracted C2
SHA-1 / C2 17abeb78bb862d702d4e63d746c58d2d805d71ee / haddjskak827sja[.]com Related LNK sample and extracted C2
SHA-1 / C2 33f6d432464c20bbdf019f62510435e9a45e29bc / photo-27657[.]cfd Related LNK sample and extracted C2
SHA-1 / C2 11b2f77a7abf1593648bbcc5bdeb27c4f890aef3 / photo-26654[.]cfd Related LNK sample and extracted C2
SHA-1 / C2 4e3baea41d73967aac96b3cb6525b9edb0ccacd8 / strayweirds[.]info Related LNK sample and extracted C2
SHA-1 / C2 e086583b8bd11a5a146e522f5ac8d8ac68111f44 / photo-26654[.]cfd Related LNK sample and extracted C2
SHA-1 / C2 932f4b274e6f08c55b64a4e7a0cbbe9dff829649 / tracerecord[.]info Related LNK sample and extracted C2
SHA-1 / C2 0b6e6d9c0091b1f8580bee455eb2199a4fe8a7e0 / photobookadm[.]pro Related LNK sample and extracted C2
SHA-1 / C2 206810a3effe5e477ffc441731b58f7f6cd2c04b / checkphoto-bookin[.]com Related LNK sample and extracted C2
SHA-1 / C2 b75d84cc997bfcc8e0f03b091e067a74030b29ce / photo-62454[.]cfd Related LNK sample and extracted C2
SHA-1 / C2 7ba0659c3c33ff97a3c8e10a304b26a58f450b4e / flamecube[.]info Related LNK sample and extracted C2
SHA-1 / C2 954a7dc750ac502c51dfd7db2068a11961b2f342 / lastnight[.]info Related LNK sample and extracted C2
SHA-1 / C2 c45a08b8bfa12241865dc82b417a29dbc2510a54 / confbookphoto[.]info Related LNK sample and extracted C2
SHA-1 / C2 6145aabf54337e633670aa2e82835fae97612a5d / aboutbookphoto[.]pro Related LNK sample and extracted C2
SHA-1 / C2 4edec9cff71c5467808c0a919ba05f13489d21ab / ancamp[.]info Related LNK sample and extracted C2
SHA-1 / C2 df5197155515d5f706ecb9b2b326e11d9ed215ed / photobookadm[.]pro Related LNK sample and extracted C2
SHA-1 / C2 efd4283b06ae8a9555475f91f59a733b7b73ddfa / book-imagegallery[.]info Related LNK sample and extracted C2
SHA-1 / C2 27e1eeb34bd8bd4b54760f15c88dd33f58507e09 / lastnight[.]info Related LNK sample and extracted C2
SHA-1 / C2 391485c342138e8d137d88f927423eb5d7c00ad6 / vault-docs-x[.]info Related LNK sample and extracted C2
SHA-1 / C2 5edc16ff32ff12ee2bf0abbc85a62b93eddab3b3 / photobookadm[.]pro Related LNK sample and extracted C2
SHA-1 / C2 a47ce3551596100173879d406d75b5f960d25c02 / photohotels-visit[.]cloud Related LNK sample and extracted C2
SHA-1 / C2 194fb8cbab8b030944e9a1ec44f2e4383f394589 / replyjoke[.]info Related LNK sample and extracted C2
SHA-1 / C2 bd80fa9a88e0b201dbd0e1814d5884c6ac011e5b / photo-26656[.]cfd Related LNK sample and extracted C2
SHA-1 / C2 0d9796ccb481b09bd92bbe1d7719d0939f645514 / photo-132454[.]cfd Related LNK sample and extracted C2
SHA-1 / C2 8e0e6e3ef3adf32db8ab3826377e0da7e8adb815 / photo-26653[.]cfd Related LNK sample and extracted C2
SHA-1 / C2 e792d6b848af9ed81d98a15b2d2fc5c80eba321a / lightsnow[.]info Related LNK sample and extracted C2
SHA-1 / C2 9dd1ff00c45da21a2eb57f612f7da5dfe57738f0 / photo-27657[.]cfd Related LNK sample and extracted C2
SHA-1 / C2 582cd134c017435b027a2fea86f4e584d69a214f / photobookadm[.]pro Related LNK sample and extracted C2
SHA-1 / C2 9b7fcaed4634dd918a26352f12a26f04c52be3a1 / safegallery[.]info Related LNK sample and extracted C2
SHA-1 / C2 3c908051cdef94e60b6f444e8719d291a57a2941 / marmoteilefinance[.]com Related LNK sample and extracted C2
SHA-1 / C2 42b40f25d025f23e42aa44f98466ce08bf022f26 / photobookadm[.]pro Related LNK sample and extracted C2
SHA-1 / C2 5a14c0a131c4e5a729a28556b119876651a4047f / photobookadm[.]pro Related LNK sample and extracted C2
SHA-1 / C2 6f171cc3fe263ff8257c4a8cc38b1cf71fd46343 / photobookadm[.]pro Related LNK sample and extracted C2
SHA-1 / C2 37b61fb43cf3aee0c0c6b3347abd018fc5eb0a5c / photobookadm[.]pro Related LNK sample and extracted C2
SHA-1 / C2 0225c25e9e7462a80ec157c76e2479487c8508bd / checkphoto-bookin[.]com Related LNK sample and extracted C2

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Prevent critical incidents and financial loss with stronger proactive defense. Integrate a live threat feed from 15K SOC Teams.