Microsoft said an active phishing campaign has targeted hotel and other hospitality organizations across Europe and Asia since April 2026, using photo-themed ZIP files to install a Node.js implant and gain access to front-desk machines. The company said the operator has not been identified and the end goal remains unclear.
KEY FACTS
- Targets Hotel and hospitality staff in Europe and Asia.
- Lure Emails used booking and complaint themes, including guest reviews, inspections and infestations.
- Delivery Messages routed through Calendly and Google redirect links before reaching a Cloudflare-fronted domain.
- Payload The chain dropped a ZIP file, a PowerShell script and a Node.js based implant.
- Tracking The malware is known as TonRAT.
The company described the operation in a security blog post, saying the emails used display names such as “Booking Manager (via Calendly)” and were sent in Japanese, Danish and Dutch. Japanese was the most common language, and the subject lines did not name a specific recipient or property.
Microsoft said the operators used what it called authentication laundering, with a multi-hop path that started from Calendly and passed through Google redirect services before landing on a newly registered .cfd domain. The site used a Turnstile challenge as an anti-analysis step, then offered a file named photo-
Inside the ZIP was a shortcut file posing as an image. Opening it launched PowerShell, which decoded a hidden download link, fetched a script to %TEMP% and installed a legitimate Node.js runtime from nodejs.org in user space. That runtime then executed the JavaScript implant without a system-wide Node install.
The report said the implant, tracked as TonRAT, used the TON blockchain API to resolve command-and-control domains and then opened an encrypted WebSocket channel. It also noted beaconing to fixed IP addresses over non-standard ports, along with signs of headless browser automation and a forced shutdown on some hosts.
Microsoft said it had not confirmed data theft, ransomware or named victims. It also said cleanup can be incomplete if defenders remove only one persistence path, since the campaign left both a RunOnce entry and a Node.js Run key, plus files under AppData\Local\Nodejs.
WHY IT MATTERS
The campaign shows how attackers can combine trusted email infrastructure, redirect services and living-off-the-land tools to reach hospitality systems while avoiding simple filters. Hotels and similar businesses may need to check front-office systems for both persistence methods and the Node.js files described in the report.