Not quite, PC gets hacked, on hacked machine someone does something like cd, but on that PC cd has been set up as an alias for some sort of command that downloads a malicious executable to the hackers machine and executed it.

That executable very well could be a keylogger, but doesn’t necessarily have to be. It could be be rm -rf --no-preserve-root / or a reverse shell or whatever really.

I imagine cd would be a terrible choice to alias given how much it’s used, but maybe something else more obscure could be used that is frequently used when bots/attackers are rummaging through files for stuff to steal.