New Multi-Stage LNK Attack Targets Hospitality Firms With Node.js Backdoor
Hospitality firms are being targeted in an active phishing campaign that uses fake booking-related emails to deliver a multi-stage Node.js backdoor.
The attack chain abuses Google Share links, malicious ZIP archives, Windows shortcut files, PowerShell, and the TON blockchain to evade security controls and maintain resilient command-and-control communications.
The initial email contains a booking-themed lure with a Google Share URL, a legitimate-looking hosting service that can help the campaign bypass reputation-based email filtering.
Victims are redirected from share[.]google/YLoRYlokrW3iner8r to recordstrace[.]info/5bC6vVOeP9PI3B08, where they are prompted to obtain a ZIP archive through direct download or ClickFix-style social engineering.
Inside the archive is a malicious .lnk file disguised as an image by using an icon from shell32.dll. Launching the shortcut silently triggers an obfuscated PowerShell command.
Contents of the archive file (Source : LevelBlue).
The script hides its destination domain within two large integer values, subtracting one value from the other before recovering the URL byte by byte through bitwise operations or equivalent modulo and integer-division logic.
Researchers identified variants using the same core logic to reconstruct recordstrace[.]info, suggesting the operators are altering superficial obfuscation while retaining the broader execution chain.
The PowerShell stage checks whether node.exe is already present on the system. If not, it downloads the legitimate Node.js package, specifically Node.js v24.13.0, from the official Node.js distribution site and extracts it into the user’s LocalAppData directory.
This living-off-trusted-software approach makes the activity more difficult to distinguish from legitimate application deployment.
Multi-Stage LNK Attack
The LevelBlue Managed Threat Research team investigated a security alert in a customer environment involving a malicious ZIP file containing a Windows shortcut (.lnk) used for initial execution.
Decrypted content using CyberChef (Source : LevelBlue).
The loader then Base64-decodes and AES-128-CBC decrypts the next-stage JavaScript payload and its associated C2 information.
It launches the recovered payload through the installed or newly dropped Node runtime, effectively turning a legitimate developer framework into a malware execution environment.
The JavaScript backdoor is heavily protected with a custom virtual machine interpreter. Rather than directly exposing malicious JavaScript instructions, the malware decodes Base64 blobs and interprets encoded bytecode at runtime.
This technique complicates static analysis, weakens signature-based detections, and obscures the backdoor’s core capabilities.
The implant checks whether its dropped Node.js process is already running, preventing duplicate instances. It also establishes persistence through the HKCU\Software\Microsoft\Windows\CurrentVersion\Run Registry key, configured to launch the Node.js executable and backdoor whenever the user logs in.
The process runs detached, with output suppressed and its window hidden.
A notable feature is its use of EtherHiding through the TON blockchain. The backdoor queries the TONAPI endpoint for a smart-contract account’s domain data, retrieving the active C2 address from blockchain-hosted information rather than hard-coding it in the payload.
This lets operators update C2 infrastructure through smart-contract transactions when domains are blocked or seized.
Observed historic C2 domains include tonajukbhuakpo2[.]shop, zloapobikahy23[.]bond, hsaertyuoang34[.]sbs, and amanohuguta[.]cfd.
The function creates an object containing references to several internal variables through JavaScript getters and setters before passing them to the vmn_c51b70 function.
Bottom of the script showing the execution of function q() (Source : LevelBlue).
After obtaining a live address, the malware connects through WebSocket using a URL pattern resembling wss:///w?user_id=.
The backdoor uses secp256k1 elliptic-curve Diffie-Hellman key exchange, HKDF, and AES-256-CBC to establish encrypted sessions. It can retrieve and execute additional PE files, PowerShell commands, and JavaScript payloads.
Before running downloaded binaries, it validates the PE header, writes the file to the temporary directory, and attempts to add a Microsoft Defender exclusion.
Defenders should monitor for suspicious .png.lnk files, unexpected Node.js downloads in user-writable folders, PowerShell process creation from shortcuts, Run-key persistence, TONAPI requests, and outbound WebSocket connections.
LevelBlue observed more than 400400400 related samples linked to the MachineID win-5r0dsv23ed0, with submissions dating to March 2026, indicating sustained and ongoing campaign activity.
Stop Accepting SLAs Written for 2019 SOCs – Here’s the 2026 AI SLA Vendor Checklist – Download Free AI SOC SLA Guide