An ongoing phishing operation has been targeting the hotel industry across Europe and Asia since April 2026. According to Microsoft, attackers are using ZIP files with photo themes to deploy a Node.js implant, compromising machines at the front desk of hospitality establishments.
Tactics and Techniques
The campaign has not been linked to any known threat actors, and the ultimate motive remains uncertain. The phishing emails mimic hotel operations with a display name of “Booking Manager (via Calendly)” and mention issues like guest complaints and health inspections. The emails, primarily in Japanese, Danish, and Dutch, lack specific recipient names, indicating a broad, list-driven tactic rather than targeted spear phishing.
The attackers employ a sophisticated delivery method, routing emails through Calendly’s notification system and Google’s URL redirect service, a method Microsoft describes as authentication laundering. These emails pass crucial verification checks, appearing legitimate as they are sent through authorized channels.
Technical Details
The attack chain involves a multi-hop link from a Calendly email through Google redirects to a newly registered domain protected by Cloudflare. The final payload is a ZIP file, seemingly containing images, but in reality, a shortcut that activates a PowerShell script. This script decodes a concealed download URL, fetching a Node.js runtime and executing a JavaScript implant.
The malware, identified as TonRAT, communicates with its control servers via the TON blockchain API and uses encrypted WebSockets, complicating static blocklist defenses. The implant sends signals to specific IP addresses over uncommon ports, and some systems show signs of headless browser automation and forced shutdown commands.
Impact and Mitigation
While no data theft or ransomware incidents have been confirmed by Microsoft, the persistent access provided by the implant is concerning. Remediation requires addressing both the RunOnce entry in ProgramData and the Node.js Run key, as well as removing runtime files under AppDataLocalNodejs to ensure complete removal.
Previous reports from SOC Prime and ITOCHU have documented similar phishing tactics within the hotel industry. This campaign follows a pattern of booking-themed phishing attempts targeting hotel personnel, a tactic seen in past ClickFix campaigns aimed at stealing Booking.com credentials.
The unresolved question is the attackers’ ultimate goal. With durable access and a challenging cleanup process, the situation demands serious attention from affected organizations.
