Microsoft flags photo‑ZIP phishing campaign targeting hotels with

A multi‑stage phishing campaign that delivers a Node.js‑based implant has been active against hospitality organizations across Europe and Asia since April 2026, according to Microsoft Threat Intelligence [1]. The campaign uses ZIP files masquerading as photo archives to lure front‑desk staff, then leverages PowerShell obfuscation, “authentication laundering” via Calendly and Google redirects, and dual registry persistence to stay hidden.

Attack chain and delivery tricks

The first stage drops a ZIP file named photo‑<numbers>.zip that contains a shortcut file (e.g., IMG‑<numbers>.png.lnk in Wave 1, PHOTO‑<numbers>.png.lnk in Wave 2) [1]. When opened, the shortcut launches an obfuscated PowerShell script that decodes a hidden URL using BigInt arithmetic, fetches a .ps1 payload, and then installs a legitimate Node.js runtime from nodejs.org into the user’s AppData\Local folder [2]. The Node.js component, tracked as TonRAT, establishes C2 communication over non‑standard ports (56001‑56003, 8443, 5555) and persists via HKCU\Run and HKCU\RunOnce registry keys [1].

Microsoft observed a shift in delivery in late May 2026: attackers began routing phishing emails through Calendly’s email notification service and Google’s URL redirect function, a technique dubbed “authentication laundering” [1]. This multi‑hop chain—Calendly → Google redirect → Cloudflare‑fronted .cfd domain—passes SPF, DKIM, and DMARC checks, allowing the messages to appear legitimate [2]. The emails use multilingual lures (Japanese, Danish, Dutch) that reference guest complaints, bedbug reports, or inspection warnings, pressuring reception staff to click [2].

Persistence and evasion tactics

Beyond the initial Node.js implant, Wave 2 introduced dynamic .NET compilation via csc.exe to generate DLLs before deploying the Node.js component [1]. The malware also creates temporary executables in AppData\Local\Temp and later moves them to C:\ProgramData for longer‑term persistence [1]. Additional evasion steps include adding Defender exclusions with Add‑MpPreference, using headless browser flags ( --headless --no‑sandbox ), performing geolocation lookups via ip‑api.com, and issuing forced shutdown commands ( cmd /c shutdown -s -t 0 ) [1].

What to watch

• Infrastructure evolution – New Cloudflare‑fronted .cfd domains and the continued use of Calendly/Google redirects suggest attackers will refine “authentication laundering” to bypass email filters.
• Node.js version updates – The implant currently drops Node.js v24.13.0; any shift to newer runtimes could affect detection signatures.
• Persistence mechanisms – Monitoring both HKCU\RunOnce entries and the AppData\Local\Nodejs folder will be critical as attackers may add alternative persistence paths.

The campaign shows how threat actors are tailoring classic phishing lures to specific industry workflows, leveraging trusted services to evade email authentication, and adopting cross‑platform runtimes like Node.js for flexible, long‑lasting access. Whether the operators aim for data theft, ransomware deployment, or other objectives remains unclear, leaving hotels to grapple with a stealthy foothold that defies conventional remediation.