The LevelBlue Managed Threat Research team investigated a security alert in a customer environment involving a malicious ZIP file containing a Windows shortcut (.lnk) used for initial execution. When triggered, the LNK file executes a hidden PowerShell command that downloads a legitimate node.exe binary and deploys a NodeJS-based backdoor. The malware also uses the EtherHiding technique, leveraging the TON blockchain to retrieve its command-and-control (C2) address.