Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Linux Kernel FUSE Vulnerability (CVE-2023-XXXX) Lets Attackers Gain Root Privileges
July 10, 2026
Critical GNU Guix Vulnerabilities Let Attackers Elevate Privileges
July 10, 2026
Critical Windows Shortcut Vulnerability Allows Remote Code Execution
July 10, 2026
Home/Threats/Critical Windows Shortcut Vulnerability Allows Remote Code Execution
Threats

Critical Windows Shortcut Vulnerability Allows Remote Code Execution

Key Takeaways A new campaign leverages malicious Windows shortcuts (LNK files) to achieve remote code execution. The attack chain uses a multi-stage approach, combining social engineering,...

David kimber
David kimber
July 10, 2026 5 Min Read
2 0

Key Takeaways

  • A new campaign leverages malicious Windows shortcuts (LNK files) to achieve remote code execution.
  • The attack chain uses a multi-stage approach, combining social engineering, PowerShell, and a legitimate Node.js runtime to install a backdoor.
  • Threat actors are employing the TON blockchain to dynamically retrieve command-and-control (C2) infrastructure, making detection and takedown efforts more challenging.
  • Organizations, especially those in hospitality and travel, are at heightened risk due to the booking-themed phishing lures.
  • No specific CVE ID has been assigned, as the vulnerability exploits legitimate system functionalities in a malicious sequence rather than a single software flaw.

Malicious Windows Shortcuts Enable Remote Code Execution via Multi-Stage Attack

Cybersecurity researchers have uncovered an active campaign exploiting Windows shortcut files to facilitate remote code execution on victim systems. This sophisticated attack transforms what appears to be a benign file download into a complete compromise, establishing a persistent foothold for threat actors.

Table Of Content

  • Key Takeaways
  • Malicious Windows Shortcuts Enable Remote Code Execution via Multi-Stage Attack
  • Evasion Techniques and Target Profile
  • The Infection Chain: PowerShell and Node.js
  • Blockchain Retrieval Helps Backdoor Evade Disruption
  • What You Should Do

The campaign initiates with highly convincing spam emails, meticulously crafted to mimic booking or travel-related correspondence. These emails direct unsuspecting recipients to download a ZIP archive. Within this archive lies a booby-trapped LNK (shortcut) file, designed to appear innocuous, often disguised as an image file.

A single click on this malicious shortcut triggers a stealthy, multi-stage infection process. This chain of events ultimately installs a backdoor, granting attackers the capability to execute arbitrary commands remotely on the compromised device. For a detailed technical analysis, refer to the Malicious Windows Shortcuts Use PowerShell and Node.js to Enable Remote Code Execution report.

Evasion Techniques and Target Profile

Rather than deploying a single, easily detectable piece of malware, the attackers cleverly orchestrate a sequence of actions using legitimate Windows functionalities like PowerShell, combined with a genuine Node.js runtime. This tactic significantly complicates detection, as PowerShell, node.exe, and standard web services, when viewed in isolation, appear to be normal system processes.

This sophisticated approach not only aids in evading security mechanisms but also establishes persistence on the infected system, enables encrypted communications, and allows for the seamless delivery of additional malicious payloads post-initial compromise. LevelBlue analysts identified this activity during an investigation into a customer alert, noting that the campaign is designed to keep each stage hidden until the LNK shortcut is executed, as LevelBlue said in a report.

The campaign poses a significant threat to organizations that frequently process external communications, particularly those in the hospitality and travel sectors, which are accustomed to receiving reservation-related emails. Researchers have observed a consistent influx of new samples daily, with over 400 linked to a shared machine identifier, indicating a sustained and organized operation rather than sporadic attacks. Early instances of these malicious shortcuts were also found in public discussion forums.

The Infection Chain: PowerShell and Node.js

The attack sequence begins when a victim extracts the ZIP archive. Inside, a shortcut file, visually disguised as an image by leveraging an icon from shell32.dll, awaits execution. Instead of opening a picture, clicking this shortcut silently triggers a PowerShell command. This command employs obfuscation techniques, using mathematical operations on large numbers to construct its next stage’s address, thereby preventing direct visibility of the malicious destination within the shortcut itself.

The initial PowerShell script first determines if Node.js is already present on the system. If not, the attackers proceed to download a legitimate Node.js package (e.g., https://nodejs[.]org/dist/v24.13.0/node-v24.13.0-win-x64.zip), extract it into the user’s LocalAppData directory, and then decrypt an encoded JavaScript payload. The use of a trusted Node.js runtime helps bypass security scrutiny while providing the necessary environment for the backdoor to operate.

The JavaScript payload itself is heavily obfuscated, utilizing a custom virtual-machine-style interpreter to process its instructions dynamically at runtime. It checks for existing Node.js processes to prevent redundant installations and establishes persistence by creating a “Run” registry entry, ensuring it restarts with each user logon. The malicious process is launched in a detached state, with its window hidden and output suppressed, further enhancing its stealth.

Once active, the backdoor gains the ability to retrieve and execute additional content, including Windows executables, PowerShell scripts, or further JavaScript payloads. Before executing any downloaded executable, it performs a check to ensure the file’s legitimacy and attempts to add an exclusion for its path within Microsoft Defender, demonstrating advanced evasion capabilities. These actions collectively allow the attackers to gain extensive control over the compromised device from a single shortcut click.

Blockchain Retrieval Helps Backdoor Evade Disruption

A notable innovation in this campaign is the use of the TON blockchain for command-and-control (C2) infrastructure. Instead of embedding a fixed C2 address within the malware, the operators query a smart contract on the TON blockchain (specifically, the account 0c66119f0e5635c4380441d7a79baf0c02a0ab7ea6cd78de06507fc5dc2c1a5d9). This “EtherHiding” method allows them to update the C2 destination without modifying the malware itself, making it significantly harder for security teams to block and dismantle their operations. After retrieving the C2 address, the backdoor initiates an encrypted WebSocket connection using a key exchange protocol.

Analysis of contract records revealed several previously used control domains, with payload delivery and control servers often protected by Cloudflare. Researchers also observed recurring patterns in the malicious LNK file names, such as photo-*.png.lnk and IMG-*.png.lnk, and a consistent MachineID value (win-5r0dsv23ed0) across more than 400 related samples. These indicators suggest a highly coordinated and persistent threat actor.

Organizations are advised to treat any unexpected shortcut archives or booking-related links with extreme caution, especially if they prompt users to bypass security warnings during download or execution.

What You Should Do

  • Enhanced Email Filtering: Implement robust email filtering solutions to detect and quarantine suspicious ZIP attachments and links, particularly those from unverified senders.
  • Block Shortcut Execution: Configure Group Policies or endpoint security solutions to restrict or block the execution of shortcut files (.LNK) originating from email attachments or untrusted sources.
  • Monitor for PowerShell Activity: Actively monitor for unusual or hidden PowerShell command executions, especially those involving obfuscated scripts or attempts to download external binaries.
  • Detect Unauthorized Node.js Installations: Implement monitoring for new Node.js binaries appearing in user-specific folders (e.g., LocalAppData) or other non-standard locations.
  • Registry Monitoring: Watch for suspicious modifications to “Run” registry entries that establish persistence for unknown or newly installed executables.
  • Network Traffic Analysis: Monitor network traffic for connections to blockchain API services (e.g., tonapi[.]io) or unusual WebSocket communications, which could indicate C2 activity.
  • User Education: Conduct regular cybersecurity awareness training for employees, emphasizing the dangers of phishing, malicious attachments, and the importance of verifying sender legitimacy before clicking links or opening files.
  • Incident Response Plan: Ensure a well-defined incident response plan is in place to promptly isolate affected systems, analyze the scope of compromise, and eradicate the threat. Preserve original suspicious files (like the ZIP archive) for forensic analysis.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackMalwareSecurityThreatVulnerability

Share Article

David kimber

David kimber

David is a penetration tester turned security journalist with expertise in mobile security, IoT vulnerabilities, and exploit development. As an OSCP-certified security professional, David brings hands-on technical experience to his reporting on vulnerabilities and security research. His articles often feature detailed technical analysis of exploits and provide actionable defense recommendations. David maintains an active presence in the security research community and has contributed to multiple open-source security tools.

Previous Post

RoguePlanet Defender Patch (CVE-2023-XXXX) Exposes Data, Exhausts Disk Space

Next Post

Critical GNU Guix Vulnerabilities Let Attackers Elevate Privileges

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
New Windows Process Injection Technique Evades 4 EDR Solutions
July 10, 2026
Xalgorix AI Tool Vulnerability Exposes Sensitive Data
July 10, 2026
Odyssey Stealer Targets macOS Users and 300 Crypto Wallet Extensions Globally
July 10, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us