Photo ZIP Phishing Hits Hotels with Node.js Implant

A phishing campaign targeting hotels across Europe and Asia has been deploying a previously undocumented Node.js-based backdoor since April 2026, according to Microsoft Threat Intelligence. The operation specifically targets front desk staff with emails posing as guest complaints about bedbugs, health inspections, and negative reviews.

TL;DR

• What happened: Multi-stage phishing campaign delivers TonRAT malware via photo-themed ZIP archives
• Who's affected: Hotels and hospitality organizations in Europe and Asia
• Attack vector: Fake Calendly notifications with photo attachments
• Action required: Block WebSocket traffic to non-standard ports; monitor for Node.js processes in user AppData directories

How the Attack Chain Works

The operators have constructed a sophisticated delivery mechanism designed to evade email security controls. Messages arrive with the display name "Booking Manager (via Calendly)" and route through Calendly's legitimate email infrastructure, passing SPF, DKIM, and DMARC authentication checks. Microsoft calls this technique "authentication laundering."

Clicking the embedded link triggers a multi-hop redirect chain: Calendly to Google's URL redirect service to a Cloudflare-fronted .cfd domain protected by a Turnstile CAPTCHA challenge. Victims who proceed download a ZIP archive named something like photo-839251.zip containing Windows shortcut files disguised as images.

The .lnk files execute PowerShell that uses BigInt arithmetic to decode a hidden download URL—a technique that frustrates static analysis tools. The script then fetches legitimate Node.js v24.13.0 binaries directly from nodejs.org and installs them into the user's AppData folder, avoiding system-wide installation that would require elevated privileges.

TonRAT Capabilities

The implant, which Microsoft tracks as TonRAT, resolves its command-and-control servers dynamically through The Open Network (TON) blockchain API. This approach makes traditional domain blocklisting ineffective since the C2 addresses change without any update to the malware itself.

TonRAT establishes encrypted WebSocket connections over non-standard ports including 8443, 8445, 8453, 5555, and 56001-56003. Its capabilities include headless browser automation with the --headless --no-sandbox flags, geolocation checks via ip-api.com, and the ability to execute forced system shutdowns.

The malware achieves persistence through dual registry entries: a RunOnce key and a dedicated Node.js Run key, with runtime files stored in AppData\Local\Nodejs.

Why Hotels?

The campaign's targeting makes tactical sense. Front desk staff routinely interact with attachments as part of daily operations—guest IDs, booking confirmations, complaint documentation. A ZIP file labeled "photos" from a disgruntled guest raises fewer red flags than it would in other industries.

Observed victim device naming patterns include reception terminals, front office systems, and hotel-branded devices, confirming the threat actor's deliberate focus on hospitality. Lure messages appeared in Japanese, Danish, and Dutch, with Japanese variants being most common.

The technique echoes callback phishing tactics we've covered in retail and hospitality previously—threat actors continue to find creative ways to weaponize trust in routine business communications.

Attribution Gap

Microsoft has not attributed this campaign to a known threat actor. The operators' ultimate objective remains unclear: no confirmed data theft, ransomware deployment, or specific victims have been publicly identified. The infrastructure and tradecraft suggest a financially motivated operation, but the extensive effort to maintain persistent access hints at longer-term plans.

Security researchers at SOC Prime and ITOCHU documented related activity roughly two weeks before Microsoft's public disclosure, indicating the campaign has been on defenders' radar for some time.

Detection and Mitigation

Organizations in the hospitality sector should implement several immediate defenses:

1. Monitor for anomalous Node.js activity - Alert on node.exe processes spawned from user AppData directories, particularly those establishing outbound WebSocket connections
2. Block non-standard ports - Consider blocking outbound traffic on ports 8443, 8445, 8453, 5555, and 56001-56003 at the network perimeter
3. Review email authentication - Authentication laundering through legitimate services like Calendly can bypass traditional email security; train staff to verify unexpected photo requests through alternative channels
4. Inspect for persistence - Check for unexpected RunOnce and Run registry entries referencing Node.js in user directories

The use of legitimate infrastructure like Calendly and Google redirects makes blocking at the URL level difficult. Organizations relying on those services for legitimate business operations will need to balance security controls against operational requirements.

For organizations unfamiliar with the broader threat landscape, our phishing email examples guide covers common social engineering patterns that employees should recognize.

Why This Matters

The hospitality industry handles substantial volumes of personally identifiable information—passport numbers, payment card data, travel itineraries—making hotels attractive targets for both financially motivated criminals and state-sponsored actors conducting travel surveillance. A persistent implant on a front desk terminal could enable anything from payment card theft to guest tracking.

The campaign's sophistication, particularly the authentication laundering technique and blockchain-based C2 resolution, represents an evolution in phishing infrastructure that defenders across all industries should study. These techniques will migrate to other sectors as they prove effective.