Photo-themed phishing campaign targets European and Asian hotels with Node.js implant

A sophisticated phishing campaign has been actively targeting hotel and hospitality organizations across Europe and Asia since April 2026, according to Microsoft. The attackers are using photo-themed ZIP files to deliver a Node.js implant, aiming to compromise front-desk machines. This campaign has been observed using techniques to bypass email security measures, The Hacker News reports.

The campaign, which Microsoft has not attributed to a known threat actor, uses lures referencing common hotel operational issues like guest complaints, bedbug infestations, and health inspections. Emails are sent via Calendly and Google's URL redirect service, a method termed "authentication laundering" by Microsoft, to bypass SPF, DKIM, and DMARC checks. Victims are directed through multiple redirects to a malicious .cfd domain. Upon clicking, they download a ZIP file containing a shortcut disguised as an image. Executing this shortcut triggers a PowerShell script that decodes a hidden URL, downloads a .ps1 file, and installs a legitimate Node.js runtime to execute the TonRAT implant.

This implant communicates with its command and control servers using the TON blockchain API and opens an encrypted WebSocket channel. While the attackers' ultimate goal remains unclear, the persistence mechanisms involve RunOnce entries and Node.js Run keys, requiring thorough remediation on reception, reservation, and front office systems.

Source: The Hacker News