Microsoft has disclosed details of an active phishing campaign targeting hotels and hospitality organizations across Europe and Asia, with attackers using photo themed ZIP file attachments to deploy a Node.js based malware implant on front desk systems. According to the company’s findings, the campaign has been active since April 2026 and has primarily targeted hospitality businesses using phishing emails that imitate legitimate customer communications. Microsoft has not attributed the activity to any known threat actor, and the final objective of the campaign remains unknown. However, researchers believe the operation demonstrates a carefully planned approach that combines trusted online services with multiple layers of redirection to bypass traditional email security controls and establish persistent access to targeted systems.
The phishing emails use the display name “Booking Manager (via Calendly)” and contain messages referencing guest complaints, room inquiries, bedbug reports, health inspections, and customer stay reviews. These themes are intended to create urgency for hotel staff responsible for reservations and customer service. Microsoft noted that the campaign has been observed in Japanese, Danish, and Dutch, with Japanese language messages appearing most frequently. The emails do not reference any specific hotel or recipient, suggesting the attackers are distributing messages on a large scale rather than conducting highly targeted spear phishing attacks. To increase the credibility of the emails, the operators route them through Calendly’s legitimate email notification service and Google’s URL redirect infrastructure, a technique Microsoft describes as authentication laundering. Since the messages originate from authorized services, they successfully pass SPF, DKIM, and DMARC verification, making them appear legitimate despite leading recipients toward malicious content. Victims are redirected through multiple links before reaching a recently registered Cloudflare protected .cfd domain that presents a Turnstile verification challenge, helping attackers evade automated security analysis.
Once users complete the verification process, they download a ZIP archive named using a photo themed format. The archive contains what appears to be an image file but is actually a Windows shortcut with a .lnk extension. Opening the shortcut launches a PowerShell script that uses BigInt arithmetic to decode a concealed download address before retrieving another PowerShell script into the system’s temporary directory. The script then downloads a legitimate Node.js version 24.13.0 runtime directly from nodejs.org into the user’s profile and executes a JavaScript based implant without requiring Node.js to be installed on the system. The malware, tracked as TonRAT, resolves its command and control infrastructure through the TON blockchain API before establishing encrypted WebSocket communications. Security researchers noted that dynamically retrieving domains through blockchain services makes conventional static domain blocklists significantly less effective. Following successful infection, the malware communicates with remote servers using uncommon ports including 8443, 8445, 8453, 5555, and ports ranging from 56001 to 56003. Investigators also observed headless browser activity, geolocation checks using ip-api.com, and commands capable of immediately shutting down compromised systems. Microsoft stated that it has not confirmed ransomware deployment, data theft, or publicly identified affected organizations.
Microsoft advised organizations to perform comprehensive remediation because the malware establishes persistence through multiple mechanisms. Security teams should remove both the RunOnce registry entry located within ProgramData and the Node.js Run registry key, while also deleting the Node.js runtime and associated JavaScript files stored under the AppData Local Nodejs directory. Removing only one persistence mechanism may allow the malware to remain active on the system. Reception, reservations, and front office computers should receive immediate attention during incident response due to their higher likelihood of interacting with booking related emails. Microsoft also noted that its findings align with earlier research published by SOC Prime and ITOCHU, which documented the same phishing chain involving malicious Windows shortcut files, PowerShell scripts, and the Node.js implant. The company added that booking related phishing campaigns targeting hotel employees have become an increasingly common tactic, including previous operations that distributed PureRAT malware to steal Booking.com credentials. While investigators continue to analyze the campaign’s ultimate purpose, the combination of trusted email delivery methods, layered redirection techniques, persistent malware installation, and sophisticated infrastructure highlights the need for hospitality organizations to strengthen email security awareness, monitor suspicious activity, and promptly investigate unusual behavior on systems handling guest services.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
