threat-wire

Photo ZIP Phishing Campaign Hits Hotels in Europe and Asia

Since April, hotels across Europe and Asia have been receiving phishing emails posing as angry guests, complete with a ZIP file that claims to hold photos of the problem. Open it, and a hidden implant sets up shop for the long haul rather than cashing out immediately.

By SecureBusinessHub Editorial, International cybersecurity desk — · 5 min read

Front-desk staff at hotels field guest complaints all day. That routine is exactly what a phishing campaign running since at least April has been exploiting.

April: the first sightings

Microsoft began tracking a campaign against hospitality organizations across Europe and Asia built around fake guest complaints: bedbug reports, health inspection notices, reservation disputes. Anything that would make a front-desk or reservations employee feel obligated to open an attachment fast.

The trick: authentication laundering

The phishing emails route through legitimate services, Calendly's email notification system and Google's URL redirect service among them, so the message inherits real, valid sender authentication instead of tripping the usual spoofing checks. Microsoft calls this authentication laundering: borrow a trusted service's clean reputation to get a malicious message past filters built to catch forged senders.

Click through, and the victim downloads a ZIP file containing what looks like a photo but is actually a Windows shortcut file. Opening it kicks off an obfuscated PowerShell chain that quietly installs a genuine Node.js runtime pulled from nodejs.org, then uses it to run a JavaScript implant. That implant sets up multiple registry-based persistence mechanisms and opens an encrypted channel back to attacker infrastructure.

May: a parallel campaign in Japan

Trend Micro separately caught a similar-looking campaign in late May, this one hitting Japanese hotels that partner with Booking.com. The lure and the ZIP-and-shortcut delivery matched Microsoft's findings closely, but the payload differed: a JavaScript remote access trojan the researchers named TonRAT, which can both receive and execute further commands from its operator. Trend Micro also found evidence of follow-on credential theft after the initial infection, something Microsoft has not confirmed in its own cases.

The blockchain twist

TonRAT doesn't hard-code where its command-and-control server lives. Instead it looks up the current address from a smart contract on the TON blockchain, a dead-drop resolver technique that makes the infrastructure nearly impossible to take down. If defenders block or seize one C2 address, the attacker just updates the smart contract, and every infected machine reconnects to the new address automatically. There is no domain to sinkhole and no server to seize.

Are you exposed?

  • Check front-desk and reservations workstations for node.exe running at all. Those machines have no ordinary business reason to execute Node.js, so any instance is worth investigating.
  • Search email logs for messages routed through Calendly notification addresses or Google redirect links (goo.gl or google.com/url) that led to a ZIP attachment claiming to contain guest photos.
  • Look for outbound connections from front-desk or reservations machines to TON blockchain API endpoints, which have no legitimate business use on those systems.

What hotels should do now

Treat any photo-themed ZIP archive as high risk by default, and restrict PowerShell and Node.js execution on front-desk and reservation terminals, since neither has a routine reason to run there. If your business has no operational need to reach blockchain platforms, block that connectivity outright. It closes off this exact command channel before an infection can even phone home.