When the user clicked the LNK file, it triggered a series of commands (often using PowerShell or legitimate Windows tools like mshta.exe ) to download and execute the TinyNode or TinyPosh backdoor.
The file is a specific archive associated with a ransomware campaign attributed to the threat actor group known as OldGremlin (also tracked as TinyGremlin). Context and Origin
The group is known for using shortcut files to bypass traditional security filters that might block .exe attachments. If you're investigating this for a security report ,
Inside the heavennhell_en.zip archive was typically a LNK file (a Windows shortcut).
If it has already been opened, disconnect the computer from the network immediately to prevent the spread of the infection.
