An active phishing campaign has been targeting hotel and other hospitality organizations across Europe and Asia since April 2026, using photo-themed ZIP files to drop a Node.js implant and dig into front-desk machines, Microsoft says.
The company has not attributed the activity to a known threat actor, and the operators’ end goal is still unclear.
The lure plays to how hotels work. Phishing emails carry the display name “Booking Manager (via Calendly)” and reference guest complaints, bedbug infestations, room inquiries, health inspections, and stay reviews.
The lures came in Japanese, Danish, and Dutch, with Japanese the most common. The subject line names no recipient or property, which points to high-volume, list-driven sending rather than tailored spear phishing. The pressure is reputational: complaints, final warnings, threatened inspections.
The delivery is the interesting part. The operators route messages through Calendly’s email notification system and Google’s URL redirect service, a trick Microsoft calls authentication laundering. Emails sent through the direct Calendly path pass SPF, DKIM, and DMARC, because they really are sent from authorized infrastructure.
The checks confirm the sender is allowed to send. They say nothing about what the message is for. A multi-hop chain then walks the victim from a Calendly link through share.google and a Google redirect to a freshly registered, Cloudflare-fronted .cfd domain. That domain sits behind a Turnstile challenge that doubles as anti-analysis.
Click through, and the target downloads a file named photo-
Opening it fires PowerShell. The script uses BigInt arithmetic to decode a hidden download URL, pulls a .ps1 to %TEMP%, and drops a legitimate Node.js v24.13.0 runtime from nodejs.org into user space, which then runs the JavaScript implant. No system-wide Node install is needed.
The implant is tracked as TonRAT. It resolves its C2 domains through the TON blockchain API, then opens an encrypted WebSocket channel, per SOC Prime. Fetching domains on the fly makes static blocklists less useful.
After the compromise, the implant beaconed to fixed IPs over non-standard ports: 8443, 8445, 8453, 5555, and 56001 to 56003. Some hosts also showed headless browser automation (–headless –no-sandbox), an ip-api.com geolocation check, and a forced shutdown via cmd /c shutdown -s -t 0. Microsoft has not reported confirmed data theft, ransomware, or named victims.
Full remediation has to hit both persistence paths: the RunOnce entry pointing into ProgramData and the Node.js Run key, plus the runtime and .js files under AppData\Local\Nodejs. Pulling one leaves the other alive. Reception, reservations, and front office systems are the first places to look.
The campaign is not brand new. SOC Prime andÂ
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
