So not only does Lenovo hide executables in alternate data streams, that can be launched as if ran from within the Windows folder. It's writable by logged in users. And it was first discovered six years ago, and is still there.
On top of that, Lenovo is apparently not going to release any patches, they're just going to give out some "remediation guidance".
I live on the other side of the world from their HQ, and I can hear the lawyers screaming and paralegals furiously typing.