Victims received an email about a purported legal "claim" or "arbitration matter." The email contained a link to a file-sharing service (like Dropbox or OneDrive) to download the ZIP file.
Inside the heavennhell_en.zip archive was typically a LNK file (a Windows shortcut). File: heavennhell_en.zip ...
The group is known for using shortcut files to bypass traditional security filters that might block .exe attachments. If you're investigating this for a security report , Victims received an email about a purported legal
When the user clicked the LNK file, it triggered a series of commands (often using PowerShell or legitimate Windows tools like mshta.exe ) to download and execute the TinyNode or TinyPosh backdoor. File: heavennhell_en.zip ...